Splunk Search

How to send an alert whenever there is sudden change of dispatch_id of that driver_id.

kumar_pashupati
New Member

Hi,
The below values are first event occurrence of that particular driver_id in respect of their unique dispatch_id. I am having the following values after doing search
_time store_id driver_id dispatch_id error_code status_code miles
2020-02-18 12:43:23.589 744107 y 41647 1000 200 0
2020-02-18 12:43:24.235 744107 x 41648 1000 200 0
2020-02-18 12:43:22.911 744107 y 41646 1000 200 0
2020-02-18 12:43:22.260 744107 y 41645 1000 200 0

I need to send the alert whenever there is sudden change of dispatch_id of that driver_id.
Currently, I am getting all the values in the alert.

Kindly help me on this.

0 Karma

nickhills
Ultra Champion

Try this as a starting point:

<your search>
|dedup 2 driver_id
|stats dc(dispatch_id) as dispatch_id_ct by _time store_id driver_id dispatch_id error_code status_code miles
|where dispatch_id_ct>1

The dedup restricts the search to the last 2 entries for a driver. Depending on your needs (timeframes) you may be able to omit this.

If my comment helps, please give it a thumbs up!
0 Karma

kumar_pashupati
New Member

Hi @nickhills ,
I am using the below query
index=tracking sourcetype="pp_zero" business_date!="" error_code!=1001
| table _time business_date store_id driver_id dispatch_id error_code status_code miles

Now, I want to set an alert whenever there is sudden change of dispatch_id of that particular driver_id. For example i,
Table
Driver_id dispatch_id time

d1 200 t1---alert should be send
d2 300 t2---alert should be send
d3 400 t3---alert should be send
d2 300 t4---no alert should be send cauz already sent for d2
d1 300 t5----alert should be send
d3 400 t5---no alert should be send cauz already sent for d3

Got my point..

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...