Splunk Search

How to send an alert whenever there is sudden change of dispatch_id of that driver_id.

kumar_pashupati
New Member

Hi,
The below values are first event occurrence of that particular driver_id in respect of their unique dispatch_id. I am having the following values after doing search
_time store_id driver_id dispatch_id error_code status_code miles
2020-02-18 12:43:23.589 744107 y 41647 1000 200 0
2020-02-18 12:43:24.235 744107 x 41648 1000 200 0
2020-02-18 12:43:22.911 744107 y 41646 1000 200 0
2020-02-18 12:43:22.260 744107 y 41645 1000 200 0

I need to send the alert whenever there is sudden change of dispatch_id of that driver_id.
Currently, I am getting all the values in the alert.

Kindly help me on this.

0 Karma

nickhills
Ultra Champion

Try this as a starting point:

<your search>
|dedup 2 driver_id
|stats dc(dispatch_id) as dispatch_id_ct by _time store_id driver_id dispatch_id error_code status_code miles
|where dispatch_id_ct>1

The dedup restricts the search to the last 2 entries for a driver. Depending on your needs (timeframes) you may be able to omit this.

If my comment helps, please give it a thumbs up!
0 Karma

kumar_pashupati
New Member

Hi @nickhills ,
I am using the below query
index=tracking sourcetype="pp_zero" business_date!="" error_code!=1001
| table _time business_date store_id driver_id dispatch_id error_code status_code miles

Now, I want to set an alert whenever there is sudden change of dispatch_id of that particular driver_id. For example i,
Table
Driver_id dispatch_id time

d1 200 t1---alert should be send
d2 300 t2---alert should be send
d3 400 t3---alert should be send
d2 300 t4---no alert should be send cauz already sent for d2
d1 300 t5----alert should be send
d3 400 t5---no alert should be send cauz already sent for d3

Got my point..

0 Karma
Get Updates on the Splunk Community!

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...