Re: How to send an alert whenever there is sudden ...

kumar_pashupati · ‎02-18-2020

Hi,
The below values are first event occurrence of that particular driver_id in respect of their unique dispatch_id. I am having the following values after doing search
_time store_id driver_id dispatch_id error_code status_code miles
2020-02-18 12:43:23.589 744107 y 41647 1000 200 0
2020-02-18 12:43:24.235 744107 x 41648 1000 200 0
2020-02-18 12:43:22.911 744107 y 41646 1000 200 0
2020-02-18 12:43:22.260 744107 y 41645 1000 200 0

I need to send the alert whenever there is sudden change of dispatch_id of that driver_id.
Currently, I am getting all the values in the alert.

Kindly help me on this.

nickhills · ‎02-18-2020

Try this as a starting point:

<your search>
|dedup 2 driver_id
|stats dc(dispatch_id) as dispatch_id_ct by _time store_id driver_id dispatch_id error_code status_code miles
|where dispatch_id_ct>1

The dedup restricts the search to the last 2 entries for a driver. Depending on your needs (timeframes) you may be able to omit this.

If my comment helps, please give it a thumbs up!

kumar_pashupati · ‎02-18-2020

Hi @nickhills ,
I am using the below query
index=tracking sourcetype="pp_zero" business_date!="" error_code!=1001
| table _time business_date store_id driver_id dispatch_id error_code status_code miles

Now, I want to set an alert whenever there is sudden change of dispatch_id of that particular driver_id. For example i,
Table
Driver_id dispatch_id time

d1 200 t1---alert should be send
d2 300 t2---alert should be send
d3 400 t3---alert should be send
d2 300 t4---no alert should be send cauz already sent for d2
d1 300 t5----alert should be send
d3 400 t5---no alert should be send cauz already sent for d3

Got my point..

How to send an alert whenever there is sudden change of dispatch_id of that driver_id.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?