Solved: Correlate one field with other field to locate rep...

kuriakose · ‎06-26-2020

aid SHA

abc 12345

12345

ujdk 9890

9890

yui 1239

1897

I would like to trigger an alert if a particular aid has different SHA. In the above case, field yui should trigger an alert for me.

can someone help me with an SPL?

Thanks in advance

gcusello · ‎06-26-2020

if for each aid you have always two events and you wabt to find when the two values are different, you could use the following approach:

your_search
| stats dc(SHA) AS n_SHA values(SHA) AS SHA BY aid
| where dc_SHA>1
| table aid SHA

adapt this approach to your Use Case.

Ciao.

Giuseppe

gcusello · ‎06-26-2020

if for each aid you have always two events and you wabt to find when the two values are different, you could use the following approach:

your_search
| stats dc(SHA) AS n_SHA values(SHA) AS SHA BY aid
| where dc_SHA>1
| table aid SHA

adapt this approach to your Use Case.

Ciao.

Giuseppe

kuriakose · ‎06-26-2020

Thank you so much. This is working perfectly.

A slight typo was in

| where n_SHA>1 instead of dc_SHA>1 🙂

that I corrected and it's working well.

Thank you so much.

Correlate one field with other field to locate repeated value