How to find changing serial numbers?

splunk_enjoyer · ‎09-02-2022

Hello Splunk Enjoyers! I have problem

Information about routers arrives every minute, so

What I have: name_of_router and serial_number of client on index = routers

What i want: i want to make alert, if serial_number has changed.

How should i do this?

splunk_enjoyer · ‎09-02-2022

@ITWhisperer thanks! its work!

and how can i result serial number and serial_number where serial_number >1? not count

ITWhisperer · ‎09-02-2022

If you want to keep the events, use eventstats

| eventstats dc(serial_number) as count by name
| where count > 1

splunk_enjoyer · ‎09-02-2022

so how can i result events where serial number had changed, not count

ITWhisperer · ‎09-02-2022

Can you share some depersonalised events in a code block </>

splunk_enjoyer · ‎09-02-2022

for example:

| table name serial_number

result:

name | serial_number

cisco1 | ABC123456

cisco1 | cdf95959595

ITWhisperer · ‎09-02-2022

| stats dc(serial_number) as count by name
| where count > 1

Join the Conversation