Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to create an alert if there is change in the field value

vrmandadi
Builder
‎03-13-2020 12:07 PM

Hello All ,

I have a field called component with values A,B,C,D. Now I want to alert if there is a new value coming in for instance E .then I need to alert with the new value showing

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-23-2020 05:15 PM

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-23-2020 05:15 PM

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2020 05:46 PM

If this works, then you should convert your comment to an answer and click accept.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-22-2020 10:45 AM

Like this:

... | stats dc(component) AS component_count values(component) AS components BY other fields here like host
| where component_count>1
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-14-2020 07:04 PM

Your description is very unclear but maybe this:

... | streamstats dc(component) AS component_count values(component) AS components
| streamstats current=f last(component_count) AS prev_component_count last(components) AS prev_components
| where component_count > prev_component_count
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-20-2020 04:07 PM

Apologies @woodcock for the unclear description . I have field called component which has values=1 ,2, 3 etc ..these values change when user logs in and makes some changes .The value might increase or decrease . For instance component test currently has value 1 but after 30 minutes the value might change to 3 .In another 30 minites it might change to 2. I want to generate an alert for each particular component whenever there is a change in its value .I hope this gives a clear idea

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-13-2020 01:50 PM

Like this:

... | stats count min(_time) AS _time BY component
| search component="E"
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-13-2020 02:17 PM

Thanks for you reply .The component value keeps changing , so I am looking something like comparison for last 30 minutes with latest and see if there is a change than send an alert along with the new value

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-13-2020 12:40 PM 
....
search E

fire alert with $result.component$

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...