- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Can you alert for if a field value is changed to a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you alert for if a field value is changed to a specific value?
i currently have an existing alert that notifies if the servers are down.
Say i have two columns: server_name and event_status.
event_status=60002 indicates if the servers are down.
event_status=60001 indicates if the servers are up
Please note that there are other values for event_status, but we are only focused on these two.
Existing alert for server down:
(base search) server_name=dfw* "EventCode=60002" earliest=-1h@h | dedup server_name | table server_name
//this is scheduled to run every 5 minutes and triggers once if there is any result
i would now want to have another alert that indicates if the servers are back to EventCode=60001 (from 60002)
Can you please help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can do something like below,
(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") >=0 AND mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, the query produced results or "alerted" when the servers went down.. They alerted almost the same time. I think it is because the query showed results with 60001 to 60002...
We would like to have a result only seeing 60002 and back to 60001. Is it possible to modify this query a little? Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try something like this below,
(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the eval expression is malformed. not sure if it's because of having two greater thans.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ohh yes I forgot to remove the >=0 here is the correct code,
(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") ,"true","false")
| where back_to_normal = "true"
Introducing Edge Processor: Next Gen Data Transformation
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
Using Machine Learning for Hunting Security Threats
