Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up an alert to trigger when a site has multiple versions?

KindaWorking
Path Finder
‎03-09-2015 02:17 PM

I have a table that shows something like this:

Site X          V 1.1
                V 1.2
                V 1.3

Site Y          V 1.3

Site Z          V 1.2

I want an alert to show me when a site has multiple versions. I cannot not quite get my search correct.

The search I am currently using:

| dbquery "SQLDB" "SELECT * FROM TABLE WHERE StatusType="Version" ORDER BY SITES"|Stats values(StatusValue) by SITES
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

musskopf
Builder
‎03-09-2015 03:29 PM

Assuming the table above you have the columns: siteName and siteVersion, and assuming the siteVersion is a multi-value field you could use the function mvcount. Something like that:

... <YOUR SEARCH> | where mvcount(siteVersion) > 1

That would list only sites with multiple versions, so you could setup your alert based on that.

ps.: I've assumed lots of things as there was no much information provided.

View solution in original post

Reply
Solved! Jump to solution
Solution

musskopf
Builder
‎03-09-2015 03:29 PM

Assuming the table above you have the columns: siteName and siteVersion, and assuming the siteVersion is a multi-value field you could use the function mvcount. Something like that:

... <YOUR SEARCH> | where mvcount(siteVersion) > 1

That would list only sites with multiple versions, so you could setup your alert based on that.

ps.: I've assumed lots of things as there was no much information provided.

Reply
Solved! Jump to solution

KindaWorking
Path Finder
‎03-09-2015 04:11 PM

Sorry about being so vague. I have updated my question to include the search string I am using. I am going to try to incorporate the mcvount into my search and see how I go.

0 Karma
Reply
Solved! Jump to solution

musskopf
Builder
‎03-09-2015 04:19 PM

It should work, as the values function you're using will produce a multi-value field. I would only suggest to rename it, like:

... | stats values(StatusValue) AS siteVersion by SITES | where mvcount(siteVersion) > 1
Reply
Solved! Jump to solution

KindaWorking
Path Finder
‎03-09-2015 04:28 PM

You are my hero!
That works perfectly.

Reply
Solved! Jump to solution

ppablo
Retired
‎03-09-2015 02:36 PM

Hi @KindaWorking

Can you share the actual search you're using so users can see how you're generating your current results and how they can edit it to help you?

0 Karma
Reply
Solved! Jump to solution

KindaWorking
Path Finder
‎03-09-2015 04:14 PM

Sorry about that. Added it in.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...