Can i create alert based on splunk query?

riodante
riodante
in DNS, DHCP, IPAM (DDI)

Need Help!!

Create an alert from this splunk query:

source=ib:discovery:switch_port_capacity index=ib_discovery | fillnull value="N/A" | dedup network_view, device_id, interface_ip_address, interface_name | rename network_view as "Network View" InterfaceSubnet as "Network" device_ip_address as "Device IP" interface_ip_address as "Interface IP" interface_name as "Interface Name" interface_description as "Interface Description" device_model as "Device Model" device_vendor as "Device Vendor" device_version as "Device OS Version" device_type as "Device Type" device_name as "Device Name" is_trunk_port as "Trunk Port" interface_type as "Type" interface_speed as "Speed" interface_vlan as "Vlan ID" interface_vlan_name as "Vlan Name" interface_admin_status as "Admin Status" interface_port_status as "Operation Status" port_last_changed_at as "Last port Changed" aggregated_interface as "Aggregated Interface" | table "Network View" "Device IP" "Device Name" "Device Type" "Device Vendor" "Device Model" "Device OS Version" "Interface Name" "Interface IP" "Interface Description" "Admin Status" "Operation Status" "Last port Changed" "Trunk Port" "Type" "Speed" "Vlan ID" "Vlan Name" "Network" "Aggregated Interface" | fields "Device IP", "Device Model", "Device Name", "Device OS Version", "Device Type", "Device Vendor", "Interface Description", "Interface Name", "Last port Changed", "Operation Status"

1.png

the goals is alert triggered when theres a condition change in operation status "from up to down"

Tagged:

Answers

  • ThomasWilimitis
    ThomasWilimitis Admin

    Hi @riodante apologies for the delay on this response. We can address things that are specific to Infoblox products—such as the data indexes, etc.—but using Splunk in general, it's recommended to consult Splunk resources.

    From what I can tell, if you want to trigger this type of alert, you'll need to modify your search first (using streamstats for example) to filter out where the status transitioned from Up to Down. Then create an alert and set the trigger condition to "if number of results > 0."

    It's not my area of expertise, but I found this Splunk documentation which might be valuable. Hopefully that helps!

Categories