Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup Table - only send email if the Event is NOT on the Lookup Table list

MasterOogway
Communicator
‎01-10-2011 11:16 PM

If I have a lookup table with the following information in it (see below), how do I send an email if the "event" found is NOT on the list?

For example, what if the event extracted was '%SPANTREE-SP-2-RECV_BAD_TLV'?

error,action,email
SYS-3-PORT_RX_BADCODE,TRUE,some@group.com
SYS-3-PORT_DEVICENOLINK,TRUE,some@group.com
SYS-3-PORT_BADPORT,TRUE,DEFAULT
TTY-3-AUTOCONFIG,TRUE,DEFAULT
ARC22056-4-minor,TRUE,DEFAULT
AUT21097-4-minor,TRUE,DEFAULT
C4K_EBM-4-HOSTFLAPPING,TRUE,DEFAULT
DHCPDBG-4-39,TRUE,DEFAULT
DOT11-4-TKIP_REPLAY,TRUE,some@group.com
DHCP_SNOOPING-4-AGENT_OPERATION_FAILED,TRUE,DEFAULT

props.conf:

[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error

transforms.conf

[cisco_event_error]
filename = syslog_alerter.csv

Currently this search finds all events found in the lookup table:

sourcetype="syslog_info" | lookup syslog_alerter.csv error
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-11-2011 12:11 AM

My Windows & Linux DHCP apps use a similar technique.

Make this change to props.conf:

LOOKUP-foo = cisco_event_error error OUTPUTNEW

Then try this simple search:

sourcetype="syslog_info" error=* NOT action=*

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-11-2011 12:11 AM

My Windows & Linux DHCP apps use a similar technique.

Make this change to props.conf:

LOOKUP-foo = cisco_event_error error OUTPUTNEW

Then try this simple search:

sourcetype="syslog_info" error=* NOT action=*
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎01-13-2011 09:02 PM

Sweet! Don't forget to vote up my answer 🙂

0 Karma
Reply
Solved! Jump to solution

MasterOogway
Communicator
‎01-13-2011 04:26 PM

After updating per you last correction post I was able to get the results I needed: "only send email if the Event is NOT on the Lookup Table list".
Always nice to get help from the best!

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎01-11-2011 04:03 PM

MasterOogway - my fault, I made some typos and put 'event' where it should have said 'error'. I edited your original post as well as my answer above, please give it another try.

0 Karma
Reply
Solved! Jump to solution

MasterOogway
Communicator
‎01-11-2011 03:28 PM

I made this change and restarted but without luck. When I run your search I get no results.
When I run this search: sourcetype=syslog_info event=* , again, I get no results, but would have expected something. Any other thoughts?

What does the empty OUTPUTNEW without any following fields defined do? I understand the "NOT action=*" removes any of the csv's "true" entries.

Thanks for your help araitz

pstein (MasterOogway)

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...