Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a Splunk alert upon any new table entry

rsantkumar
Observer
‎07-13-2020 07:11 PM

Hi. I have a splunk table which tracks  all the plugin version available to install for each plugin. Please note that each plugin can have multiple values. The idea is to alert when a new  version becomes available for any of the plugins(latest entry). the search runs every 5 mins.

rsantkumar_0-1594692562342.png

 

 

Kindly help.

 

Labels (1)
Labels
0 Karma
Reply

jacobpevans
Motivator
‎07-15-2020 03:29 PM

By "splunk table", I assume you mean the results of a search as it appears in your screenshot. If this is the case, you can compare the current data to a previous time's data. The search below will retrieve the unique data from the previous five minutes but only if it is not present in the previous day outside that five minute window.

index=<your_index> sourcetype=<your_sourcetype> earliest=-5m latest=now
| table key Plugin_version Release
| search NOT
    [ | search index=<your_index> sourcetype=<your_sourcetype> earliest=-1d latest=-5m
      | table key Plugin_version Release ]

 

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-14-2020 12:43 AM

Hi @rsantkumar,

To solve your requirement, you could have two approaches:

extract all the versions of each product and check that every target host has the highest, or, in different words, that they have all the same version.

In this way you cannot check the alignment with the newest version but only that all the versions are aligned.

Otherwise, you could create a lookup containing the latest version of each product to verify and check if all the targets are aligned with this version.

Ciao.

Giuseppe

0 Karma
Reply

rsantkumar
Observer
‎07-15-2020 03:18 PM

@gcusello: Thanks for your reply. The problem with these approaches in my case is that the release of versions is quite often and the idea is to notify us as soon as a new version is available for a plugin for us to use.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...