Alerting

Can you alert for if a field value is changed to a specific value?

bonnlbbelandres
Path Finder

i currently have an existing alert that notifies if the servers are down.

Say i have two columns: server_name and event_status.

event_status=60002 indicates if the servers are down.
event_status=60001 indicates if the servers are up

Please note that there are other values for event_status, but we are only focused on these two.

Existing alert for server down:

(base search) server_name=dfw* "EventCode=60002" earliest=-1h@h | dedup server_name | table server_name
//this is scheduled to run every 5 minutes and triggers once if there is any result

i would now want to have another alert that indicates if the servers are back to EventCode=60001 (from 60002)

Can you please help me?

Tags (2)
0 Karma

sdchakraborty
Contributor

Hi,

You can do something like below,

(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") >=0 AND mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"

Sid

0 Karma

bonnlbbelandres
Path Finder

Hello, the query produced results or "alerted" when the servers went down.. They alerted almost the same time. I think it is because the query showed results with 60001 to 60002...
We would like to have a result only seeing 60002 and back to 60001. Is it possible to modify this query a little? Thanks

0 Karma

sdchakraborty
Contributor

can you try something like this below,

(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
 | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") >=0,"true","false")
 | where back_to_normal = "true"

Sid

0 Karma

bonnlbbelandres
Path Finder

the eval expression is malformed. not sure if it's because of having two greater thans.

0 Karma

sdchakraborty
Contributor

ohh yes I forgot to remove the >=0 here is the correct code,

 (base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
  | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") ,"true","false")
  | where back_to_normal = "true"
0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...