Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate one field with other field to locate repeated value

kuriakose
Explorer
‎06-26-2020 08:23 AM

aid                              SHA

abc                          12345

                                  12345

ujdk                         9890

                                   9890

yui                          1239

                                 1897

I would like to trigger an alert if a particular aid has different SHA. In the above case, field yui should trigger an alert for me. 

can someone help me with an SPL?

Thanks in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-26-2020 08:45 AM

Hi @kuriakose ,

if for each aid you have always two events and you wabt to find when the two values are different, you could use the following approach:

your_search
| stats dc(SHA) AS n_SHA values(SHA) AS SHA BY aid
| where dc_SHA>1
| table aid SHA

adapt this approach to your Use Case.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-26-2020 08:45 AM

Hi @kuriakose ,

if for each aid you have always two events and you wabt to find when the two values are different, you could use the following approach:

your_search
| stats dc(SHA) AS n_SHA values(SHA) AS SHA BY aid
| where dc_SHA>1
| table aid SHA

adapt this approach to your Use Case.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kuriakose
Explorer
‎06-26-2020 09:10 AM

Hi @gcusello,

 

Thank you so much. This is working perfectly.

A slight typo was in

| where n_SHA>1 instead of dc_SHA>1 🙂

that I corrected and it's working well. 

Thank you so much. 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...