Alerting

how to create an alert if there is change in the field value

vrmandadi
Builder

Hello All ,

I have a field called component with values A,B,C,D. Now I want to alert if there is a new value coming in for instance E .then I need to alert with the new value showing

Thanks in advance

0 Karma
1 Solution

vrmandadi
Builder

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"

View solution in original post

0 Karma

vrmandadi
Builder

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"
0 Karma

woodcock
Esteemed Legend

If this works, then you should convert your comment to an answer and click accept.

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats dc(component) AS component_count values(component) AS components BY other fields here like host
| where component_count>1
0 Karma

woodcock
Esteemed Legend

Your description is very unclear but maybe this:

... | streamstats dc(component) AS component_count values(component) AS components
| streamstats current=f last(component_count) AS prev_component_count last(components) AS prev_components
| where component_count > prev_component_count
0 Karma

vrmandadi
Builder

Apologies @woodcock for the unclear description . I have field called component which has values=1 ,2, 3 etc ..these values change when user logs in and makes some changes .The value might increase or decrease . For instance component test currently has value 1 but after 30 minutes the value might change to 3 .In another 30 minites it might change to 2. I want to generate an alert for each particular component whenever there is a change in its value .I hope this gives a clear idea

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats count min(_time) AS _time BY component
| search component="E"
0 Karma

vrmandadi
Builder

Thanks for you reply .The component value keeps changing , so I am looking something like comparison for last 30 minutes with latest and see if there is a change than send an alert along with the new value

0 Karma

to4kawa
Ultra Champion
....
search E

fire alert with $result.component$

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...