Alerting

Can you alert for if a field value is changed to a specific value?

bonnlbbelandres
Path Finder

i currently have an existing alert that notifies if the servers are down.

Say i have two columns: server_name and event_status.

event_status=60002 indicates if the servers are down.
event_status=60001 indicates if the servers are up

Please note that there are other values for event_status, but we are only focused on these two.

Existing alert for server down:

(base search) server_name=dfw* "EventCode=60002" earliest=-1h@h | dedup server_name | table server_name
//this is scheduled to run every 5 minutes and triggers once if there is any result

i would now want to have another alert that indicates if the servers are back to EventCode=60001 (from 60002)

Can you please help me?

Tags (2)
0 Karma

sdchakraborty
Contributor

Hi,

You can do something like below,

(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") >=0 AND mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"

Sid

0 Karma

bonnlbbelandres
Path Finder

Hello, the query produced results or "alerted" when the servers went down.. They alerted almost the same time. I think it is because the query showed results with 60001 to 60002...
We would like to have a result only seeing 60002 and back to 60001. Is it possible to modify this query a little? Thanks

0 Karma

sdchakraborty
Contributor

can you try something like this below,

(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
 | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") >=0,"true","false")
 | where back_to_normal = "true"

Sid

0 Karma

bonnlbbelandres
Path Finder

the eval expression is malformed. not sure if it's because of having two greater thans.

0 Karma

sdchakraborty
Contributor

ohh yes I forgot to remove the >=0 here is the correct code,

 (base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
  | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") ,"true","false")
  | where back_to_normal = "true"
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...