Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you alert for if a field value is changed to a specific value?

bonnlbbelandres
Path Finder
‎01-03-2019 02:09 PM

i currently have an existing alert that notifies if the servers are down.

Say i have two columns: server_name and event_status.

event_status=60002 indicates if the servers are down.
event_status=60001 indicates if the servers are up

Please note that there are other values for event_status, but we are only focused on these two.

Existing alert for server down:

(base search) server_name=dfw* "EventCode=60002" earliest=-1h@h | dedup server_name | table server_name
//this is scheduled to run every 5 minutes and triggers once if there is any result

i would now want to have another alert that indicates if the servers are back to EventCode=60001 (from 60002)

Can you please help me?

Tags (2)
0 Karma
Reply

sdchakraborty
Contributor
‎01-03-2019 08:51 PM

Hi,

You can do something like below,

(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") >=0 AND mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"

Sid

0 Karma
Reply

bonnlbbelandres
Path Finder
‎01-07-2019 03:15 PM

Hello, the query produced results or "alerted" when the servers went down.. They alerted almost the same time. I think it is because the query showed results with 60001 to 60002...
We would like to have a result only seeing 60002 and back to 60001. Is it possible to modify this query a little? Thanks

0 Karma
Reply

sdchakraborty
Contributor
‎01-08-2019 01:30 AM

can you try something like this below,

(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
 | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") >=0,"true","false")
 | where back_to_normal = "true"

Sid

0 Karma
Reply

bonnlbbelandres
Path Finder
‎01-08-2019 07:00 AM

the eval expression is malformed. not sure if it's because of having two greater thans.

0 Karma
Reply

sdchakraborty
Contributor
‎01-08-2019 08:26 PM

ohh yes I forgot to remove the >=0 here is the correct code,

 (base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
  | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") ,"true","false")
  | where back_to_normal = "true"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...