Solved: Alert when a field value changes

arjun_ananth · ‎09-24-2024

Working on a query to generate an alert when a field value changes. The requirement is to detect the change in IP for a FQDN.

Currently I'm trying to use a lookup file which has the current value of the IP for two FQDN per host.

Columns - Host|FQDN|Current_IP

Looks something like

Host1 fqdn1 IP1

Host2 fqdn1 IP1

Host1 fqdn2 IP2

Host2 fqdn2 IP2

I followed an approach suggested in another thread to use inputlookup

My current query looks like - stats latest(IP) as Latest_IP | inputlookup append=true myfile.csv | stats first(Latest_IP) as Latest_IP, first(Current_IP) as Previous_IP | where Latest_IP!=Previous_IP

This gives me a result with the latest and previous IP whenever the IP changes, but looking to add more details to the result which also lists the FQDN and the time when the IP changed.

gcusello · ‎09-24-2024

Hi @arjun_ananth ,

I don't like lookup method, I'd like to use a summary index:

schedule a search every night (if the change frequency that you want to monitor is one day) e.g.:

index=your_index
| dedup ip
| table _time host ip
| collect index=your_summary

and then run a search on the summary index:

index=your_summary
| stats dc(ip) AS ip_count By host
| where ip_count>1

in this way you haven't the problem of manage the timestamp and lookup upgrade, and, at the same time, you have a quick search.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-24-2024

Hi @arjun_ananth ,

I don't like lookup method, I'd like to use a summary index:

schedule a search every night (if the change frequency that you want to monitor is one day) e.g.:

index=your_index
| dedup ip
| table _time host ip
| collect index=your_summary

and then run a search on the summary index:

index=your_summary
| stats dc(ip) AS ip_count By host
| where ip_count>1

in this way you haven't the problem of manage the timestamp and lookup upgrade, and, at the same time, you have a quick search.

Ciao.

Giuseppe

arjun_ananth · ‎09-25-2024

Thanks @gcusello . I will try this and let you know.

You are right about the lookup. Whenever the IP values changes, the lookup file also needs to be updated. I managed to get the output using the lookup earlier, but then I tried to update the lookup file in the same query which messed up the column names, and the query won't work anymore since the values changed. I will try the summary method and let you know. Thanks again

gcusello · ‎09-25-2024

Hi @arjun_ananth ,

let me know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

arjun_ananth · ‎09-25-2024

@gcusello I ended up taking an entirely different approach. I ditched inputlookup/lookup and used a bit of eval, where and eventstats to achieve it. For your suggestion to use summary index, I do not have privileges to create a new index, so couldn't try that but it would have worked i guess. Thank you though, I can definitely keep this approach in mind whenever I run into problems again.

Alert when a field value changes

lookup

stats

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved