https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211354#M61817 <P>Please share couple of events. Have you extracted these columns as KV pairs? That will have to be your first step. <A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf">https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf</A></P> <P>Once you have fields extracted, you can do a search with <CODE>earliest=-5m</CODE>, this will alert you of any changes in the past 5 mins. Since this is an extracted field, real-time search may not work correctly.</P> Wed, 03 Aug 2016 20:25:11 GMT sundareshr 2016-08-03T20:25:11Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211352#M61815 <P>Hi everyone,</P> <P>I want to create an alert by email when one of the fields of my index changes. I have a file with different counters with values associated (one column for the counters name and one column for the value).</P> <P>I would like to be notified by email when the value of one specific counter changes.<BR /> I’ve read the documentation about real time alert, but I didn’t find anything that could help me. <BR /> Example: Let's say that I am interested in the "counter_1". If the value of counter_1 change I would like to be alerted. </P> <P>Could you help me with that issue?<BR /> Thanks!</P> Tue, 29 Sep 2020 10:30:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211352#M61815 clairebesson 2020-09-29T10:30:48Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211353#M61816 <P>If I read you right, then counter_1 is always X. So, setup the alert to exclude expected results, like X. But if counter_1=Y, the search will return a result, and you can alert on that. So...</P> <PRE><CODE> basesearch NOT counter_1=expectedvalue </CODE></PRE> <P>And then setup the alert to run at whatever interval, and alert if number of results is greater than one?</P> Tue, 29 Sep 2020 10:30:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211353#M61816 JDukeSplunk 2020-09-29T10:30:51Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211354#M61817 <P>Please share couple of events. Have you extracted these columns as KV pairs? That will have to be your first step. <A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf">https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf</A></P> <P>Once you have fields extracted, you can do a search with <CODE>earliest=-5m</CODE>, this will alert you of any changes in the past 5 mins. Since this is an extracted field, real-time search may not work correctly.</P> Wed, 03 Aug 2016 20:25:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211354#M61817 sundareshr 2016-08-03T20:25:11Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211355#M61818 <P>Setup a search to run <CODE>every X minutes</CODE> and <CODE>over the last X+1 minutes</CODE> (where <CODE>X</CODE> is the same number) and search this:</P> <PRE><CODE>... | stats dc(counter_1) AS numValues | search numValues&gt;1 </CODE></PRE> Sat, 06 Aug 2016 23:55:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-when-a-certain-field-changes-from-a-value-to/m-p/211355#M61818 woodcock 2016-08-06T23:55:02Z