Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to create an alert if there is change in the field value

vrmandadi
Builder
‎03-13-2020 12:07 PM

Hello All ,

I have a field called component with values A,B,C,D. Now I want to alert if there is a new value coming in for instance E .then I need to alert with the new value showing

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-23-2020 05:15 PM

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-23-2020 05:15 PM

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2020 05:46 PM

If this works, then you should convert your comment to an answer and click accept.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-22-2020 10:45 AM

Like this:

... | stats dc(component) AS component_count values(component) AS components BY other fields here like host
| where component_count>1
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-14-2020 07:04 PM

Your description is very unclear but maybe this:

... | streamstats dc(component) AS component_count values(component) AS components
| streamstats current=f last(component_count) AS prev_component_count last(components) AS prev_components
| where component_count > prev_component_count
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-20-2020 04:07 PM

Apologies @woodcock for the unclear description . I have field called component which has values=1 ,2, 3 etc ..these values change when user logs in and makes some changes .The value might increase or decrease . For instance component test currently has value 1 but after 30 minutes the value might change to 3 .In another 30 minites it might change to 2. I want to generate an alert for each particular component whenever there is a change in its value .I hope this gives a clear idea

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-13-2020 01:50 PM

Like this:

... | stats count min(_time) AS _time BY component
| search component="E"
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-13-2020 02:17 PM

Thanks for you reply .The component value keeps changing , so I am looking something like comparison for last 30 minutes with latest and see if there is a change than send an alert along with the new value

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-13-2020 12:40 PM 
....
search E

fire alert with $result.component$

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...