Splunk Search

How to subtract two extracted fields and alert on the result?

Explorer

I have created 2 extracted fields. The 1st I have created from a main list which is RFQ_Request,
and the second one is from a list from another search. I saved both extracted fields as RFQ_latest.
I want to subtract RFQ_Request - RFQ_latest and if there is any result, I need to alert on this.

Please help me to make alert for this.
Thanks

0 Karma

SplunkTrust
SplunkTrust

You'll need a search with both fields in it. Then compare the two and trigger an alert if there are more than zero results.

search 1 | fields RFQ_Request | append [ search 2 | fields RFQ_latest] | where RFQ_Request > RFQ_latest
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

but this is going to fire everytime? is there way i can set previous records which already got Alert, should not come next time.

like if 12345 i got alert.

next time in my log i dont want to see?? can we do some thing like that??

Thanks
Ashok

0 Karma

SplunkTrust
SplunkTrust

If you limit your search to a certain time range it will only trigger an alert once per event. For example, if the search only looks at the last 5 minutes and runs every 5 minutes, then you'll see a given event only one time.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

this one did not work, any issue??
i did same like you?

Received quote request, will send ack |fields RFQID | append [Retrieving latest version of RFQ id |fields RFQID_RFQ_Update] | where RFQID > RFQID_RFQ_Update

0 Karma

SplunkTrust
SplunkTrust

How many values of RFQID and RFQID_RFQ_Update is going to have?

0 Karma