Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to alert when a certain field changes from a value to another random value?

clairebesson
Explorer
‎08-03-2016 01:12 PM

Hi everyone,

I want to create an alert by email when one of the fields of my index changes. I have a file with different counters with values associated (one column for the counters name and one column for the value).

I would like to be notified by email when the value of one specific counter changes.
I’ve read the documentation about real time alert, but I didn’t find anything that could help me.
Example: Let's say that I am interested in the "counter_1". If the value of counter_1 change I would like to be alerted.

Could you help me with that issue?
Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎08-06-2016 04:55 PM

Setup a search to run every X minutes and over the last X+1 minutes (where X is the same number) and search this:

... | stats dc(counter_1) AS numValues | search numValues>1
0 Karma
Reply

sundareshr
Legend
‎08-03-2016 01:25 PM

Please share couple of events. Have you extracted these columns as KV pairs? That will have to be your first step. https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf

Once you have fields extracted, you can do a search with earliest=-5m, this will alert you of any changes in the past 5 mins. Since this is an extracted field, real-time search may not work correctly.

0 Karma
Reply

JDukeSplunk
Builder
‎08-03-2016 01:17 PM

If I read you right, then counter_1 is always X. So, setup the alert to exclude expected results, like X. But if counter_1=Y, the search will return a result, and you can alert on that. So...

 basesearch NOT counter_1=expectedvalue

And then setup the alert to run at whatever interval, and alert if number of results is greater than one?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...