Trigger an alert For ANY Unique/NEW Incoming events or results

Trigger An Alert For Any Unique/New Incoming Events OR Results

Today we will take a look towards an alerting issue, where everyone is looking for a solution. I.e. we will create an alert which will trigger only if unique/new results are received.

Suppose we have a data from our website which is basically giving us information about all the users, trying to login using their credentials. Now we will try to create an alert that will trigger if only a new user is trying to login to our website. That means alert will only trigger if a new user is trying to log in using a new username.

Here we have data in an index called  “test_index”  and “web_data”  is the sourcetype. Where we are getting username of each existing user and the country name from where they are logging in.

1

Step 1:

Now at first, we will create a lookup with already existing data.

index="test_index" sourcetype="web_data"
| stats count by username country
| eval match="yes"
| outputlookup username.csv

2

Explanation:

Using the “stats” command we calculated the number of times one user is logged in into our website with “username” and “country” details. Then we created a field called “match” using “eval” command also put a string called “yes”  , which we will use as a reference field later while comparing with our indexed data. After that using outputlookup command we saved that result in a lookup file named “username.csv”.

You can also know about :  How to Match multiple "|" in the same event in Splunk Query Using REX in SPLUNK

Now if you search

| inputlookup username.csv

You will find the content of the “username.csv” lookup.

4

Step 2:

Now we will create an alert. Before creating the alert we will prepare the search string of the alert.

index="test_index" sourcetype="web_data"
|stats count by username country
| lookup username.csv username OUTPUTNEW country match
|search NOT match="yes"
| eval match="yes"
| outputlookup append=t username.csv
|fields - count match

Explanation:
Using the “stats” command we calculated the number of times one user is logged in into our website with “username” and “country” details. Then we have used the “lookupcommand and we have used “username” as a matching field between “username.csv and our indexed data. Which will bring all the usernames from lookup and index, and then we have used the outputnew attribute to bring the country details of those usernames which are missing in lookup, which means for newly updated usernames.  Then we are searching for those usernames where we don’t have match=yes, i.e. it will fetch only newly updated usernames because for the new users there won’t be any entry in the lookup file.  After that using eval“ command we have created a filed called “match” with values “yes” and using outputlookup command we added that new username in our lookup fileusername.csv (here we have used “append=t” that means new data will be appended with the existing data). We must have to update the lookup file in this way because this user will be existing user for the next time. Finally using fields command we excluded “count” and “match” fields from the results.

You can also know about :  How To View Search History In Splunk

Now we will save this as an alert.

Go to Settings > Searches, reports, and alerts > New alert

5

6

Now Create the alert, give any title, and paste the search string, and rest is mentioned below.

7

8

9

Finally, Save it and processed further.

Result:

Now, whenever it will receive any unique username alert will trigger.

10

11

If you see carefully that alert was triggered for a new username called “StromBreaker_red” from “CMR” country.

Hope you have understood the topic:  Trigger An Alert For Any Unique/New Incoming Events OR Results

Happy Splunking !!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.