Reporting

Alert when the results of 2 searches do not match.

CaseyCarson
Engager

I have 2 different searches and I need to create an alert that would trigger if the results of the 2 searches are not equal. Below are my 2 searches. What we are doing is comparing a count of records in and count of records out to make sure the application did not have an issue processing.

index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| stats sum("Value") as "Total Records"

 

index=omma
| stats dc(record_id) as "Total Records"

Labels (1)
0 Karma
1 Solution

tscroggins
Influencer

@CaseyCarson 

With minimal changes to your base searches:

index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| status sum("Value") as "Total Records In"
| appendcols
    [ search index=omma
    | stats dc(record_id) as "Total Records Out" ]
| where 'Total Records In'!='Total Records Out'

 

View solution in original post

0 Karma

tscroggins
Influencer

@CaseyCarson 

With minimal changes to your base searches:

index=omma source=omma
| bin _time span=5ms
| stats latest(liccount) as "Value" by lictype
| status sum("Value") as "Total Records In"
| appendcols
    [ search index=omma
    | stats dc(record_id) as "Total Records Out" ]
| where 'Total Records In'!='Total Records Out'

 

0 Karma

CaseyCarson
Engager

Thank you! This is what I needed!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...