Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to subtract two extracted fields and alert on the result?

ashokapex
Explorer
‎02-22-2016 09:13 AM

I have created 2 extracted fields. The 1st I have created from a main list which is RFQ_Request,
and the second one is from a list from another search. I saved both extracted fields as RFQ_latest.
I want to subtract RFQ_Request - RFQ_latest and if there is any result, I need to alert on this.

Please help me to make alert for this.
Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2016 09:41 AM

You'll need a search with both fields in it. Then compare the two and trigger an alert if there are more than zero results.

search 1 | fields RFQ_Request | append [ search 2 | fields RFQ_latest] | where RFQ_Request > RFQ_latest
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ashokapex
Explorer
‎02-22-2016 11:03 AM

but this is going to fire everytime? is there way i can set previous records which already got Alert, should not come next time.

like if 12345 i got alert.

next time in my log i dont want to see?? can we do some thing like that??

Thanks
Ashok

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2016 11:09 AM

If you limit your search to a certain time range it will only trigger an alert once per event. For example, if the search only looks at the last 5 minutes and runs every 5 minutes, then you'll see a given event only one time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ashokapex
Explorer
‎02-22-2016 02:11 PM

this one did not work, any issue??
i did same like you?

Received quote request, will send ack |fields RFQID | append [Retrieving latest version of RFQ id |fields RFQID_RFQ_Update] | where RFQID > RFQID_RFQ_Update

0 Karma
Reply

somesoni2
Revered Legend
‎02-22-2016 03:00 PM

How many values of RFQID and RFQID_RFQ_Update is going to have?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...