I want to know when there is a change in the user list.
For example, if you get the following json once a day, I want to send an alert if a user has been added or deleted compared to the previous day's json.
Is there any way?
{
1: tom
2: nick
3: potter
4: aina
}
your_search earliest=@d
| spath
| eval user_list=""
| foreach *
[eval user_list=user_list + '<<FIELD>>']
| table user_list
| append [ search your_search earliest=-1d@d latest=@d
| spath
| eval user_list=""
| foreach *
[eval user_list=user_list + '<<FIELD>>']
| table user_list ]
| stats dc(user_list) as count
| where count > 1
hi, @mcdp_matsumoto
if event count > 0 , Fire alert.
your_search earliest=@d
| spath
| eval user_list=""
| foreach *
[eval user_list=user_list + '<<FIELD>>']
| table user_list
| append [ search your_search earliest=-1d@d latest=@d
| spath
| eval user_list=""
| foreach *
[eval user_list=user_list + '<<FIELD>>']
| table user_list ]
| stats dc(user_list) as count
| where count > 1
hi, @mcdp_matsumoto
if event count > 0 , Fire alert.
Thank you for your answer.
Finally, my solution is as follows. Thank you very much.
json
[
{
id: xxxxxx
login: tom
},
{
id: yyyyyy
login: aina
},
・
・
・
]
spl
your_search | spath {}.login
| eval user_list='{}.login'
| table user_list
| append [ search your_search
| spath {}.login
| eval user_list='{}.login'
| table user_list ]
| stats dc(user_list) as count
| where count > 1
Even though it's a very crude way, but I think it will get your job done. You may create a lookup file to store the count of users each day by reading the user list files each day (See below) and compare the counts from the previous day in your alert query.
| makeresults
| eval x="{
1: tom
2: nick
3: potter
4: aina
}"
| rex field=yourlist mode=sed "s/\n/|/g"
| rex field=yourlist "\{\|(?P<name>[\w\d\s|:]*)\|\}"
| makemv name delim="|"
| mvexpand name|stats count as x
@mcdp_matsumoto are the numbers before the names, the count of Users on a particular day or ids of the user?
Depending on this the SPL will completely vary.
Since the final SPL will be very much dependent on the JSON data being passed, community will be able to assist you better if you provide actual JSON structure that will be used (you can mock anonymize any sensitive data similar to how you have done in the question.)