Solved: How do I alert on a field if service changed from ...

DanielASG · ‎11-27-2018

Hi all

We are watching 44 critical items in Splunk, and we have a search running to let us know if the service is up or down.

> index="winevents_server" sourcetype=updown | lookup updownhosts.csv IP OUTPUT Device_name,Use,Model | dedup IP | rename stats as status |table _time,IP Device_name, Model, status
> Blockquote

how can we alert if any of the values change from up to down or down to up ?

i know how to alert on each one, but I did not want 44 searches running at once. is there a way of doing this with one search?

kmorris_splunk · ‎11-28-2018

Something like this might work.

index="scratchpad" sourcetype="downtoup" 
| dedup status consecutive=true 
| head 2 
| stats count 
| where count=2

The consecutive parameter for the dedup command will dedup until the value changes, then dedup again. I tested with the value changing 4 times and I ended up with 4 events, even though I had more. Using head 2 gives you the last 2 values within the time window you are searching in. If the count is 2, it would indicate that the status has changed in that time window.

View solution in original post

kmorris_splunk · ‎11-28-2018

Something like this might work.

index="scratchpad" sourcetype="downtoup" 
| dedup status consecutive=true 
| head 2 
| stats count 
| where count=2

The consecutive parameter for the dedup command will dedup until the value changes, then dedup again. I tested with the value changing 4 times and I ended up with 4 events, even though I had more. Using head 2 gives you the last 2 values within the time window you are searching in. If the count is 2, it would indicate that the status has changed in that time window.

How do I alert on a field if service changed from up to down?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update