Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

searching changes in the specified field

rsathish47
Contributor
‎04-22-2014 09:01 PM

Hi All,

I have search which runs every four hours collecting the mailbox details. i need to alert or notify if any change in the specified field

Event @ 0
MailboxA CA=1 CA2=3
.
.
MailboxZ CA=2 CA2=3

Event @ 4
MailboxA CA=3 CA2=3
.
.
MailboxZ CA=2 CA2=3

Answer:

MailboxA changed CA1 vlaued 1 to 3

Please let me know how to perform this

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-23-2014 05:44 AM

Hi rsathish47,

try something like this:

YourBaseSearchHere | streamstats current=f last(CA) as last_CA by Mailbox | where CA!=last_CA | ...

this assumes that you have a mailbox field extracted that represents MailboxA and/or MailboxZ

hops the helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-23-2014 05:44 AM

Hi rsathish47,

try something like this:

YourBaseSearchHere | streamstats current=f last(CA) as last_CA by Mailbox | where CA!=last_CA | ...

this assumes that you have a mailbox field extracted that represents MailboxA and/or MailboxZ

hops the helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

rsathish47
Contributor
‎04-25-2014 04:23 AM

Thanks Buddy .. it works 🙂 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...