Splunk Search
Highlighted

How to send an alert whenever there is sudden change of dispatch_id of that driver_id.

New Member

Hi,
The below values are first event occurrence of that particular driverid in respect of their unique dispatchid. I am having the following values after doing search
time storeid driverid dispatchid errorcode statuscode miles
2020-02-18 12:43:23.589 744107 y 41647 1000 200 0
2020-02-18 12:43:24.235 744107 x 41648 1000 200 0
2020-02-18 12:43:22.911 744107 y 41646 1000 200 0
2020-02-18 12:43:22.260 744107 y 41645 1000 200 0

I need to send the alert whenever there is sudden change of dispatchid of that driverid.
Currently, I am getting all the values in the alert.

Kindly help me on this.

0 Karma
Highlighted

Re: How to send an alert whenever there is sudden change of dispatch_id of that driver_id.

Ultra Champion

Try this as a starting point:

<your search>
|dedup 2 driver_id
|stats dc(dispatch_id) as dispatch_id_ct by _time store_id driver_id dispatch_id error_code status_code miles
|where dispatch_id_ct>1

The dedup restricts the search to the last 2 entries for a driver. Depending on your needs (timeframes) you may be able to omit this.

0 Karma
Highlighted

Re: How to send an alert whenever there is sudden change of dispatch_id of that driver_id.

New Member

Hi @nickhillscpl ,
I am using the below query
index=tracking sourcetype="ppzero" businessdate!="" errorcode!=1001
| table _time business
date storeid driverid dispatchid errorcode status_code miles

Now, I want to set an alert whenever there is sudden change of dispatchid of that particular driverid. For example i,
Table
Driverid dispatchid time

d1 200 t1---alert should be send
d2 300 t2---alert should be send
d3 400 t3---alert should be send
d2 300 t4---no alert should be send cauz already sent for d2
d1 300 t5----alert should be send
d3 400 t5---no alert should be send cauz already sent for d3

Got my point..

0 Karma