Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

help with creating an alert when a field value changes

vrmandadi
Builder
‎03-11-2020 11:18 AM

Hello All ,

I have a field called version which has values 1,2 etc for each different field "collection" .Now I want to create an alert whenever the version value changes (always goes higher) from 1 to 2 or 2 to 3 .Once the value changes the new events will have the new version value .

For instance for collection A the version is 1 ..in future if that value changes to 2 then the new data will have value 2 and so on

SAMPLE EVENT

{"fileName":"Bggg","id":"5d0d78","isChained":false,"metaInfo":{"author":"","copyright":"","description":"","name":"lin","noOutputFilesMessage":"","outputMessage":"","url":"","urlText":""},"packageType":1,"public":false,"runCount":4,"runDisabled":false,"subscriptionId":"5d013c84d3c465","uploadDate":"\/Date(1583943892366)\/","version":null,"workerTag":"","collections":[{"collectionId":"5dc909225c9e1a89","collectionName":"A"}],"lastRunDate":"\/Date(1583948946000-0400)\/","publishedVersionId":"5e6910d3fa3a841ee8000611","publishedVersionNumber":2,"publishedVersionOwner":{"active":true,"email":"aacom","firstName":"ha","id":"5d0136be14d3c398","lastName":"gi","sId":null,"subscriptionId":"5d0136be17c395"},"subscriptionName":"u"}

Thanks in Advance

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2020 12:27 AM

Hi @ vrmandadi,
at first you have to extract the two files using a regex like this:

collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)

that you can test at https://regex101.com/r/bTPcVJ/1

then you can run a search like this:

index=your_index
| rex "collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)"
| stats dc(publishedVersionNumber) AS number_of_versions values(publishedVersionNumber) AS publishedVersionNumber BY collectionName

Now you can create an alert adding to the end the row:

| where number_of_versions>1

or display the search in a panel as is.

Ciao.
Giuseppe

0 Karma
Reply

vrmandadi
Builder
‎03-12-2020 01:21 PM

Thank your response.This is not what I am looking for the version which changed from 1 to 2 in future will change to 3 ...SO the where clause needs to change everytime .I am looking for something like a compare thing which checks the version of a particular collect previously and check with latest and then generate an alert when there is a change

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-13-2020 12:54 AM

Hi @ vrmandadi,
sorry, I wasn't clear: using this search you don't search if the version of a collectionName has a value greather than 1 but you search if, in the monitoring period, there are two or more different versions for each of them, infact in the number_of_versions field there's ne number of different versions that you have using the distinct_count funtion.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...