Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Detecting endpoint change in a specific event with an alert

jcunningham_con
Explorer
‎09-28-2017 12:33 PM

Looking for assistance with creating an email alert when an endpoint changes in logs.

We want to avoid multiple emails going out every 15 minutes and only send the email alert when the switch happens.

The alert would be searching every 15 minutes. Thinking that the best way to do this is come up with a search that only returns the specific event in question. If we find two different endpoints (field value) for the 15 minute window, then we know a switch has occurred.

From here am looking for assistance. How to write the query to detect which endpoint we started with and what we switched to. Thinking that we can do something like the following to get timestamp for endpointA and endpointB events. Then see which one is greater than the other. Then conditional statement to determine what the source and destination endpoints are.

... | eval time_a = case(expression to determine if it's endpointA, _time) | eval time_b = case(expression to determine if it's endpointB, _time)

Any help would be greatly appreciated.

0 Karma
Reply

DalJeanis
Legend
‎09-28-2017 04:58 PM

Don't overcomplicate your life. If there is more than one endpoint in a period, then it changed.

 your search that gets all events in the time range with field `myendpoint`
| stats values(myendpoint) as myendpoint
| where mvcount(myendpoint) > 1

...or, if you really want to know what it changed from, and what it changed to... 

 your search that gets all events in the time range with field `myendpoint`
| stats values(myendpoint) as myendpoint, earliest(myendpoint) as firstendpoint, latest(myendpoint) as lastendpoint
| where mvcount(myendpoint) > 1
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...