Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Required to create separate alert if one field value change

Lalit
Engager
‎04-17-2024 11:00 AM

Hi All,

I have data like below with three fields : srcip,dstip and title . When I execute below query 

.........| stats count by srcip,dstip,title

Result :

srcip        dstip           title

srcip1     dstip1         title

srcip1     dstip2       title

srcip2     dstip2        title1

srcip2      dstip3       title1

srcip1       dstip2       title2

 

So we required to alert separate on basis title values.  For all events of one title, there should be one alert. So above example there should be trigger 3 separate alerts .

 

Thank you ! in Advance  

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-19-2024 11:08 PM

You can fire alert either once per whole result set or separately per each result row. So if you want three alerts from six rows, you have to adjust your search to "squeeze" multiple results into one row.

 

0 Karma
Reply

marnall
Motivator
‎04-17-2024 02:07 PM

Have a go with:

| stats count values(srcip) as srcip values(dstip) as dstip by title

 

This should produce three rows and therefore 3 alerts, where the srcip and dstip are multi-value fields.

0 Karma
Reply

Lalit
Engager
‎04-17-2024 08:15 PM

Thank you for your response.

I have already tried this.  In this search I am getting multiple srcip and multiple dstip In one row. I required one row for one srcip to one dstip but alert should be  trigger  saperatly title wise .

0 Karma
Reply

marnall
Motivator
‎04-19-2024 10:27 PM

I can't think of a practical way to make an alert that will alert once per title, but also have many separate rows per title. You may be trying to do too much with one module.

You could set up the alert to use multi-value fields as per my previous suggestion, but then include a link in the alert to a separate search where each title is separate.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...