Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to trigger alert when there is switch between events for the first time?

paragg
Loves-to-Learn Lots
‎04-29-2024 10:10 AM

I want to get an alert when there is switch between events for the first time. Below is the example for this. 

index=abc sourcetype=xyz  <warning>

index=abc sourcetype=xyz  <critical>


These 2 queries I have and I want an alert when there is switch between from <warning> to <critical>.

Please help with the query.

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:36 PM

You should look at using streamstats - here's an example that creates 10 events where every 4th event changes from warning to critical.

| makeresults count=10
| streamstats c
| eval _time=now() - c
| eval type=if(c % 4 = 0, "critical", "warning")
| fields - c
| sort - _time
| streamstats count reset_after="("type=\"warning\"")" by type
| where count=1 AND type="critical"

To give you an exact solution would need to know more about your requirement.

This will give 2 results when the type changes to critical from warning

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...