Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to create an alert if there is change in the field value

vrmandadi
Builder
‎03-13-2020 12:07 PM

Hello All ,

I have a field called component with values A,B,C,D. Now I want to alert if there is a new value coming in for instance E .then I need to alert with the new value showing

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-23-2020 05:15 PM

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-23-2020 05:15 PM

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2020 05:46 PM

If this works, then you should convert your comment to an answer and click accept.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-22-2020 10:45 AM

Like this:

... | stats dc(component) AS component_count values(component) AS components BY other fields here like host
| where component_count>1
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-14-2020 07:04 PM

Your description is very unclear but maybe this:

... | streamstats dc(component) AS component_count values(component) AS components
| streamstats current=f last(component_count) AS prev_component_count last(components) AS prev_components
| where component_count > prev_component_count
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-20-2020 04:07 PM

Apologies @woodcock for the unclear description . I have field called component which has values=1 ,2, 3 etc ..these values change when user logs in and makes some changes .The value might increase or decrease . For instance component test currently has value 1 but after 30 minutes the value might change to 3 .In another 30 minites it might change to 2. I want to generate an alert for each particular component whenever there is a change in its value .I hope this gives a clear idea

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-13-2020 01:50 PM

Like this:

... | stats count min(_time) AS _time BY component
| search component="E"
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-13-2020 02:17 PM

Thanks for you reply .The component value keeps changing , so I am looking something like comparison for last 30 minutes with latest and see if there is a change than send an alert along with the new value

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-13-2020 12:40 PM 
....
search E

fire alert with $result.component$

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...