Hi All, We have the below query which is getting triggered everyday based on the missing UF server from the lookup table and it creates a ticket for the same. Currently this alert creates a ticket multiple times for the same forwarder. But we need open a ticket once for each server.
For example, if testsplunk1 is "missing", it should open a ticket after 7 days. On the 8th day, if it is not resolved, it currently opens another ticket. This change should make Splunk aware that it has already opened a ticket for testsplunk1 so that it doesn't open another ticket the next day.
Current search query :
| inputlookup forwarder_assets
| makemv delim=" " avg_tcp_kbps_sparkline
| eval sum_kb = if (status == "missing", "N/A", sum_kb)
| eval avg_tcp_kbps_sparkline = if (status == "missing", "N/A", avg_tcp_kbps_sparkline)
| eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps)
| eval avg_tcp_eps = if (status == "missing", "N/A", avg_tcp_eps)
| rename_forwarder_type(forwarder_type) ----> This is a macro (I have removed tick symbol)
| eval current_time=now()
| eval diff_time=(current_time - last_connected)
| search status=missing
| fields hostname, forwarder_type, version, os, arch, status, sum_kb, avg_tcp_kbps_sparkline, avg_tcp_kbps, avg_tcp_eps, current_time, last_connected, diff_time
| search status=missing diff_time>604800
Kindly guide me how to write/modify the query to create a ticket once per server instead of creating tickets multiple times for the same server.
↧