Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

help with creating an alert when a field value changes

vrmandadi
Builder
‎03-11-2020 11:18 AM

Hello All ,

I have a field called version which has values 1,2 etc for each different field "collection" .Now I want to create an alert whenever the version value changes (always goes higher) from 1 to 2 or 2 to 3 .Once the value changes the new events will have the new version value .

For instance for collection A the version is 1 ..in future if that value changes to 2 then the new data will have value 2 and so on

SAMPLE EVENT

{"fileName":"Bggg","id":"5d0d78","isChained":false,"metaInfo":{"author":"","copyright":"","description":"","name":"lin","noOutputFilesMessage":"","outputMessage":"","url":"","urlText":""},"packageType":1,"public":false,"runCount":4,"runDisabled":false,"subscriptionId":"5d013c84d3c465","uploadDate":"\/Date(1583943892366)\/","version":null,"workerTag":"","collections":[{"collectionId":"5dc909225c9e1a89","collectionName":"A"}],"lastRunDate":"\/Date(1583948946000-0400)\/","publishedVersionId":"5e6910d3fa3a841ee8000611","publishedVersionNumber":2,"publishedVersionOwner":{"active":true,"email":"aacom","firstName":"ha","id":"5d0136be14d3c398","lastName":"gi","sId":null,"subscriptionId":"5d0136be17c395"},"subscriptionName":"u"}

Thanks in Advance

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2020 12:27 AM

Hi @ vrmandadi,
at first you have to extract the two files using a regex like this:

collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)

that you can test at https://regex101.com/r/bTPcVJ/1

then you can run a search like this:

index=your_index
| rex "collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)"
| stats dc(publishedVersionNumber) AS number_of_versions values(publishedVersionNumber) AS publishedVersionNumber BY collectionName

Now you can create an alert adding to the end the row:

| where number_of_versions>1

or display the search in a panel as is.

Ciao.
Giuseppe

0 Karma
Reply

vrmandadi
Builder
‎03-12-2020 01:21 PM

Thank your response.This is not what I am looking for the version which changed from 1 to 2 in future will change to 3 ...SO the where clause needs to change everytime .I am looking for something like a compare thing which checks the version of a particular collect previously and check with latest and then generate an alert when there is a change

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-13-2020 12:54 AM

Hi @ vrmandadi,
sorry, I wasn't clear: using this search you don't search if the version of a collectionName has a value greather than 1 but you search if, in the monitoring period, there are two or more different versions for each of them, infact in the number_of_versions field there's ne number of different versions that you have using the distinct_count funtion.

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...