Re: How to run searches based on lookup table deta...

falkienltd · ‎05-26-2019

Hi
I'm trying to match a table list of tasks for a client with a task run result. The table task shows if the task is set enabled or disabled which means whether I need check the task result and list it. Each task will use different search to test its result since data is spread in different sourcetypes etc. We basically need to see if all the list off tasks run successfully or not. One failure means alert has to raised.

let say we have a table like (it is csv file based inputlookup)

task client1 client2
task1 true false
task2 false true
task3 false true

conditions to check per task:
task1: index=index1 sourcectype=s1 ..... | stats count - success if >0
task2: index=index1 sourcectype=s2 ..... | stats count - success if >0
task3: index=index1 sourcectype=s3.... | stats count - success if >0

in our example
for client 1 send alert if task1 is a failure
for client2 send alert if task1 or task2 is a failure

how to run such iteration for a client and do it for each task=true do condition check, maybe to add a column with a search or add a column and dynamically update result?

Any ideas much appreciated, sorry I similar thing has been answered before. I'm quite fresh to Splunk.

Thanks
Daz

koshyk · ‎05-26-2019

please try

|inputlookup yourTask.csv
| fields task client1 client2
|rex field=task "task(?<taskId>\d+)"| eval mysourcetype="s"+taskId
| map search=" index=index1 sourcectype=$mysourcetype$  | stats count ..."

How to run searches based on lookup table details

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases