Re: Required to create separate alert if one field...

Lalit · ‎04-17-2024

Hi All,

I have data like below with three fields : srcip,dstip and title . When I execute below query

.........| stats count by srcip,dstip,title

Result :

srcip dstip title

srcip1 dstip1 title

srcip1 dstip2 title

srcip2 dstip2 title1

srcip2 dstip3 title1

srcip1 dstip2 title2

So we required to alert separate on basis title values. For all events of one title, there should be one alert. So above example there should be trigger 3 separate alerts .

Thank you ! in Advance

PickleRick · ‎04-19-2024

You can fire alert either once per whole result set or separately per each result row. So if you want three alerts from six rows, you have to adjust your search to "squeeze" multiple results into one row.

marnall · ‎04-17-2024

Have a go with:

| stats count values(srcip) as srcip values(dstip) as dstip by title

This should produce three rows and therefore 3 alerts, where the srcip and dstip are multi-value fields.

Lalit · ‎04-17-2024

Thank you for your response.

I have already tried this. In this search I am getting multiple srcip and multiple dstip In one row. I required one row for one srcip to one dstip but alert should be trigger saperatly title wise .

marnall · ‎04-19-2024

I can't think of a practical way to make an alert that will alert once per title, but also have many separate rows per title. You may be trying to do too much with one module.

You could set up the alert to use multi-value fields as per my previous suggestion, but then include a link in the alert to a separate search where each title is separate.

Required to create separate alert if one field value change

alert condition

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!