Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create an alert for field that has two values when it should only have one

asaprobo
New Member
‎08-24-2016 12:22 PM

Example:

userid: 123 should have a unique pin # and no other pin #s.

sometimes during a transaction userid's are assigned two pin #s by mistake. Alert when a userid has more than one pin #
transaction 1:
userid: 123
pin#: abc

transaction 2:
userid: 123
pin#: def

Tags (1)
0 Karma
Reply

pradeepkumarg
Influencer
‎08-24-2016 12:28 PM 
...| stats dc(pin), values(pin) by user| search dc(pin) >  1
Reply

JDukeSplunk
Builder
‎08-24-2016 12:28 PM

Maybe?

stats count(pin) AS COUNT by userid |search COUNT > 1
0 Karma
Reply

pradeepkumarg
Influencer
‎08-24-2016 12:30 PM

Looks like i was 4 seconds late in drafting the answer 🙂

0 Karma
Reply

JDukeSplunk
Builder
‎08-24-2016 12:31 PM

I like your use of dc better than mine. I think it would be less problematic.

0 Karma
Reply

JDukeSplunk
Builder
‎08-24-2016 12:33 PM

The take-away for asaprobo is, make a search that should only return counts of 1, and have a subsearch to return results greater than 1 and alert on that.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...