Query which should show whenever there is a modifi...

Janani_Krish · ‎12-28-2020

Hello All,

I have to construct a query whenever there is change in my query result. My query and result is as follows,
Query:
sourcetype="my_sourcetype"|dedup indicator|table indicator

Result:
indicator

a

b

So I need to get an alert whenever my set [Indicator(a,b)] changes, i.e addition [indicator(a,b,c)] or deletion[indicator(a)] happens.
Please suggest for my above requirement.

richgalloway · ‎12-28-2020

If you only need to worry about additions or deletions then this query should do.

sourcetype="my_sourcetype"
| stats dc(indicator) as count
| where count != 2

Trigger an alert whenever the query returns results.

---
If this reply helps you, Karma would be appreciated.

Janani_Krish · ‎12-28-2020

Thanks @richgalloway
That will help. But is there any way I can identify any modifications in the list, like Indicator[a.b] changed to Indicator[c,d].

richgalloway · ‎12-29-2020

First, you'll need to save the set of expected results.

sourcetype="my_sourcetype"
|dedup indicator
|table indicator
| outputlookup indicator.csv

Then you can compare those results to a new search.

| set diff [sourcetype="my_sourcetype"|dedup indicator|table indicator]
[|inputlookup indicator.csv]

---
If this reply helps you, Karma would be appreciated.

Query which should show whenever there is a modification in data set

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Query which should show whenever there is a modification in data set

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!