Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate one field with other field to locate repeated value

kuriakose
Explorer
‎06-26-2020 08:23 AM

aid                              SHA

abc                          12345

                                  12345

ujdk                         9890

                                   9890

yui                          1239

                                 1897

I would like to trigger an alert if a particular aid has different SHA. In the above case, field yui should trigger an alert for me. 

can someone help me with an SPL?

Thanks in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-26-2020 08:45 AM

Hi @kuriakose ,

if for each aid you have always two events and you wabt to find when the two values are different, you could use the following approach:

your_search
| stats dc(SHA) AS n_SHA values(SHA) AS SHA BY aid
| where dc_SHA>1
| table aid SHA

adapt this approach to your Use Case.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-26-2020 08:45 AM

Hi @kuriakose ,

if for each aid you have always two events and you wabt to find when the two values are different, you could use the following approach:

your_search
| stats dc(SHA) AS n_SHA values(SHA) AS SHA BY aid
| where dc_SHA>1
| table aid SHA

adapt this approach to your Use Case.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kuriakose
Explorer
‎06-26-2020 09:10 AM

Hi @gcusello,

 

Thank you so much. This is working perfectly.

A slight typo was in

| where n_SHA>1 instead of dc_SHA>1 🙂

that I corrected and it's working well. 

Thank you so much. 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Alpha Launch: AI-Assisted Auto-Schematization for CIM

Streamlining Data Onboarding: Announcing the Alpha Release of AI-Assisted Auto-Schematization For many Splunk ...

Enterprise Security(ES) Essentials or Premier? Let's discuss Splunk ES Editions on ...

  Hi everyone, Last year at .conf25, we shared something exciting: Splunk Enterprise Security is evolving ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 5

Advent of CodeIn order to participate in these challenges, you will need to register with the Advent of Code ...