Alerting

help with creating an alert when a field value changes

vrmandadi
Builder

Hello All ,

I have a field called version which has values 1,2 etc for each different field "collection" .Now I want to create an alert whenever the version value changes (always goes higher) from 1 to 2 or 2 to 3 .Once the value changes the new events will have the new version value .

For instance for collection A the version is 1 ..in future if that value changes to 2 then the new data will have value 2 and so on

SAMPLE EVENT

{"fileName":"Bggg","id":"5d0d78","isChained":false,"metaInfo":{"author":"","copyright":"","description":"","name":"lin","noOutputFilesMessage":"","outputMessage":"","url":"","urlText":""},"packageType":1,"public":false,"runCount":4,"runDisabled":false,"subscriptionId":"5d013c84d3c465","uploadDate":"\/Date(1583943892366)\/","version":null,"workerTag":"","collections":[{"collectionId":"5dc909225c9e1a89","collectionName":"A"}],"lastRunDate":"\/Date(1583948946000-0400)\/","publishedVersionId":"5e6910d3fa3a841ee8000611","publishedVersionNumber":2,"publishedVersionOwner":{"active":true,"email":"aacom","firstName":"ha","id":"5d0136be14d3c398","lastName":"gi","sId":null,"subscriptionId":"5d0136be17c395"},"subscriptionName":"u"}

Thanks in Advance

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ vrmandadi,
at first you have to extract the two files using a regex like this:

collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)

that you can test at https://regex101.com/r/bTPcVJ/1

then you can run a search like this:

index=your_index
| rex "collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)"
| stats dc(publishedVersionNumber) AS number_of_versions values(publishedVersionNumber) AS publishedVersionNumber BY collectionName

Now you can create an alert adding to the end the row:

| where number_of_versions>1

or display the search in a panel as is.

Ciao.
Giuseppe

0 Karma

vrmandadi
Builder

Thank your response.This is not what I am looking for the version which changed from 1 to 2 in future will change to 3 ...SO the where clause needs to change everytime .I am looking for something like a compare thing which checks the version of a particular collect previously and check with latest and then generate an alert when there is a change

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ vrmandadi,
sorry, I wasn't clear: using this search you don't search if the version of a collectionName has a value greather than 1 but you search if, in the monitoring period, there are two or more different versions for each of them, infact in the number_of_versions field there's ne number of different versions that you have using the distinct_count funtion.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...