cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
weddi_eddy
Explorer
Member since: ‎09-14-2022
‎09-15-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-14-2022
View All

Re: How to search a log if a match hasn't been see...

by in Splunk Search
‎09-15-2022 11:03 AM
‎09-15-2022 11:03 AM
Thanks so much! Had a few typos at first but this worked as intended! ... View more

Re: How can get an alert for each host in a lookup...

by in Splunk Search
‎09-15-2022 10:56 AM
‎09-15-2022 10:56 AM
If I perform a search for: eventtype="nix-all-logs" sourcetype=syslog "squirrel" | stats values(SourceIP) as data I get: data Performing an audit check... added file on host hostname_1: f+++++++++++++++++: /opt/folder/logs/2022-Sep-15_file.log changes were found when we performed our check. database containing your updates was created and renamed. We will start using the updated database for file changes. file was changed on host hostname_3: d =.... mc.. .. . : /opt/folder/other_folder file was changed on host hostname_3: f >.... mc..H.. . : /opt/folder/logs/file.log I use SourceIP because when I run: eventtype="nix-all-logs" sourcetype=syslog "squirrel" | stats values() SourceIP is the value that contains the data I want to sort. So far, so good. However, when I include the lookup, it says that there are matches but nothing is returned: eventtype="nix-all-logs" sourcetype=syslog "squirrel" | stats values(SourceIP) as data by host [|inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host]  If run the lookup by itself, it returns a list of each host in the lookup: |inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host If I can get the 'data' column above to be listed by each host from the above lookup, I think that would do what I need. So, in my example, I should get a table that roughly looks like: hostname_1 Performing an audit check... added file on host hostname_1: f+++++++++++++++++: /opt/folder/logs/2022-Sep-15_file.log changes were found when we performed our check. database containing your updates was created and renamed. We will start using the updated database for file changes. hostname_3 file was changed on host hostname_3: d =.... mc.. .. . : /opt/folder/other_folder file was changed on host hostname_3: f >.... mc..H.. . : /opt/folder/logs/file.log From here, I can then tell the alert to alerts on each result. If you need to see the alerts, what exactly do you need to see to help? ... View more

How to search a log if a match hasn't been seen in...

by in Splunk Search
‎09-14-2022 12:05 PM
‎09-14-2022 12:05 PM
I currently have a lookup that contains two columns. Hostnames and Location.  I can use the following formula to search for squirrel in all hostnames in this lookup: "squirrel" [| inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host] What I would like to do is to set up an alert where for each hostname in My_Hostname, Splunk will look for "squirrel". If the Number of Results found is equal to 0 (meaning that the squirrel log was not created) in a 24 hour period, I would like an email sent out with that hostname in the email. I know I can set it up with all hostnames from the lookup, but the issue I see is that if hostname_1 has "squirrel" and hostname_4 does not, it will be greater than 0. I effectively want to know if an application is not running and which host it is not running on. The application will generate "squirrel" at least once in a 24 hour period. (If you don't like squirrels, you can insert your animal of choice here). ... View more
Labels

How can get an alert for each host in a lookup?

by in Splunk Search
‎09-14-2022 11:59 AM
‎09-14-2022 11:59 AM
I currently have a lookup that contains two columns. Hostnames and Location.  I can use the following formula to search for squirrel in all hostnames in this lookup: "squirrel" [| inputlookup mylookup.csv | fields MY_Hostname | rename MY_Hostname as host]  Works like a dream. I've also set up an alert for this to trigger once. The issue I have is that the alert email is consolidated with all the different matches. For example: "squirrel" is found: a few times in hostname_1 twice in hostname_3 and, 17 times in hostname_8. The email that is sent contains all the "squirrel" logs for all the hosts. What I would like to do is separate out each alert by individual hostname. So, in our example, I should receive 3 email alerts. One for hostname_1 with a few records, one for hostname_3 with two records and once for hostname_8 with 17 records. Is there a way to perform a sort of for loop for the lookup so that I can simply update it instead of having to manage a bunch of alerts? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-15-2022 02:29 PM
Karma given to
View All