The below values are first event occurrence of that particular driver_id in respect of their unique dispatch_id. I am having the following values after doing search
_time store_id driver_id dispatch_id error_code status_code miles
2020-02-18 12:43:23.589 744107 y 41647 1000 200 0
2020-02-18 12:43:24.235 744107 x 41648 1000 200 0
2020-02-18 12:43:22.911 744107 y 41646 1000 200 0
2020-02-18 12:43:22.260 744107 y 41645 1000 200 0
I need to send the alert whenever there is sudden change of dispatch_id of that driver_id.
Currently, I am getting all the values in the alert.
Kindly help me on this.
Try this as a starting point:
<your search> |dedup 2 driver_id |stats dc(dispatch_id) as dispatch_id_ct by _time store_id driver_id dispatch_id error_code status_code miles |where dispatch_id_ct>1
The dedup restricts the search to the last 2 entries for a driver. Depending on your needs (timeframes) you may be able to omit this.
Hi @nickhills ,
I am using the below query
index=tracking sourcetype="pp_zero" business_date!="" error_code!=1001
| table _time business_date store_id driver_id dispatch_id error_code status_code miles
Now, I want to set an alert whenever there is sudden change of dispatch_id of that particular driver_id. For example i,
Driver_id dispatch_id time
d1 200 t1---alert should be send
d2 300 t2---alert should be send
d3 400 t3---alert should be send
d2 300 t4---no alert should be send cauz already sent for d2
d1 300 t5----alert should be send
d3 400 t5---no alert should be send cauz already sent for d3
Got my point..