The below values are first event occurrence of that particular driverid in respect of their unique dispatchid. I am having the following values after doing search
time storeid driverid dispatchid errorcode statuscode miles
2020-02-18 12:43:23.589 744107 y 41647 1000 200 0
2020-02-18 12:43:24.235 744107 x 41648 1000 200 0
2020-02-18 12:43:22.911 744107 y 41646 1000 200 0
2020-02-18 12:43:22.260 744107 y 41645 1000 200 0
I need to send the alert whenever there is sudden change of dispatchid of that driverid.
Currently, I am getting all the values in the alert.
Kindly help me on this.
Try this as a starting point:
<your search> |dedup 2 driver_id |stats dc(dispatch_id) as dispatch_id_ct by _time store_id driver_id dispatch_id error_code status_code miles |where dispatch_id_ct>1
The dedup restricts the search to the last 2 entries for a driver. Depending on your needs (timeframes) you may be able to omit this.
Hi @nickhillscpl ,
I am using the below query
index=tracking sourcetype="ppzero" businessdate!="" errorcode!=1001
| table _time businessdate storeid driverid dispatchid errorcode status_code miles
Now, I want to set an alert whenever there is sudden change of dispatchid of that particular driverid. For example i,
Driverid dispatchid time
d1 200 t1---alert should be send
d2 300 t2---alert should be send
d3 400 t3---alert should be send
d2 300 t4---no alert should be send cauz already sent for d2
d1 300 t5----alert should be send
d3 400 t5---no alert should be send cauz already sent for d3
Got my point..