Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Detecting endpoint change in a specific event with an alert

jcunningham_con
Explorer
‎09-28-2017 12:33 PM

Looking for assistance with creating an email alert when an endpoint changes in logs.

We want to avoid multiple emails going out every 15 minutes and only send the email alert when the switch happens.

The alert would be searching every 15 minutes. Thinking that the best way to do this is come up with a search that only returns the specific event in question. If we find two different endpoints (field value) for the 15 minute window, then we know a switch has occurred.

From here am looking for assistance. How to write the query to detect which endpoint we started with and what we switched to. Thinking that we can do something like the following to get timestamp for endpointA and endpointB events. Then see which one is greater than the other. Then conditional statement to determine what the source and destination endpoints are.

... | eval time_a = case(expression to determine if it's endpointA, _time) | eval time_b = case(expression to determine if it's endpointB, _time)

Any help would be greatly appreciated.

0 Karma
Reply

DalJeanis
Legend
‎09-28-2017 04:58 PM

Don't overcomplicate your life. If there is more than one endpoint in a period, then it changed.

 your search that gets all events in the time range with field `myendpoint`
| stats values(myendpoint) as myendpoint
| where mvcount(myendpoint) > 1

...or, if you really want to know what it changed from, and what it changed to... 

 your search that gets all events in the time range with field `myendpoint`
| stats values(myendpoint) as myendpoint, earliest(myendpoint) as firstendpoint, latest(myendpoint) as lastendpoint
| where mvcount(myendpoint) > 1
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...