search alert using static file

gudavasr · ‎02-15-2013

Hi,
I will have a csv file like this:
cachename, value
max,1000
min, 100

I want to do search | fileds cachename, value | and compare the value to the value in csv file and send alert if it is =1000 or <1000 like that.
is this possible in Splunk? if possible can you please let me know the best way to do it.

Thank You

martin_mueller · ‎02-15-2013

In other words, you want to define the alert triggering condition based on minimum and maximum values for a field from a csv file?

Here's a mildly hacked approach: I've defined a test.csv with two columns, min and max, with values 300 and 600. Do the same (in $SPLUNK_HOME/etc/system/lookups) and compare these two queries:

| gentimes start=-1 increment=5m | eval foo = starttime % 1200

| gentimes start=-1 increment=5m | eval foo = starttime % 1200 | search [inputlookup test.csv | return min max | eval search = replace(search, "min=", "foo>=") | eval search = replace(search, "max=", "foo<=")]

The first is the unfiltered one, with foo values from 0 to 900. The second filters the previous result based on the limits defined in the CSV file and only returns those events with 300<=foo<=600.

I'm not certain whether the trigger-conditions-in-CSV-file approach is the best for your problem though, what do you want to achieve?

martin_mueller · ‎02-15-2013

gentimes generates time range results, I use it to simulate actual events.

gudavasr · ‎02-15-2013

I will try this approach but why to gentimes? can I just use inputlookup part?

search alert using static file

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!