Solved: Alert when the results of 2 searches do not match.

CaseyCarson · ‎03-26-2021

I have 2 different searches and I need to create an alert that would trigger if the results of the 2 searches are not equal. Below are my 2 searches. What we are doing is comparing a count of records in and count of records out to make sure the application did not have an issue processing.

index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| stats sum("Value") as "Total Records"

index=omma
| stats dc(record_id) as "Total Records"

tscroggins · ‎03-27-2021

@CaseyCarson

With minimal changes to your base searches:

index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| status sum("Value") as "Total Records In"
| appendcols
    [ search index=omma
    | stats dc(record_id) as "Total Records Out" ]
| where 'Total Records In'!='Total Records Out'

View solution in original post

tscroggins · ‎03-27-2021

@CaseyCarson

With minimal changes to your base searches:

index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| status sum("Value") as "Total Records In"
| appendcols
    [ search index=omma
    | stats dc(record_id) as "Total Records Out" ]
| where 'Total Records In'!='Total Records Out'

CaseyCarson · ‎03-29-2021

Thank you! This is what I needed!

Alert when the results of 2 searches do not match.

saved search

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Alert when the results of 2 searches do not match.

saved search

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR