Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to alert when a certain field changes from a value to another random value?

clairebesson
Explorer
‎08-03-2016 01:12 PM

Hi everyone,

I want to create an alert by email when one of the fields of my index changes. I have a file with different counters with values associated (one column for the counters name and one column for the value).

I would like to be notified by email when the value of one specific counter changes.
I’ve read the documentation about real time alert, but I didn’t find anything that could help me.
Example: Let's say that I am interested in the "counter_1". If the value of counter_1 change I would like to be alerted.

Could you help me with that issue?
Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎08-06-2016 04:55 PM

Setup a search to run every X minutes and over the last X+1 minutes (where X is the same number) and search this:

... | stats dc(counter_1) AS numValues | search numValues>1
0 Karma
Reply

sundareshr
Legend
‎08-03-2016 01:25 PM

Please share couple of events. Have you extracted these columns as KV pairs? That will have to be your first step. https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf

Once you have fields extracted, you can do a search with earliest=-5m, this will alert you of any changes in the past 5 mins. Since this is an extracted field, real-time search may not work correctly.

0 Karma
Reply

JDukeSplunk
Builder
‎08-03-2016 01:17 PM

If I read you right, then counter_1 is always X. So, setup the alert to exclude expected results, like X. But if counter_1=Y, the search will return a result, and you can alert on that. So...

 basesearch NOT counter_1=expectedvalue

And then setup the alert to run at whatever interval, and alert if number of results is greater than one?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...