Splunk Search

How to set up an alert to trigger when a site has multiple versions?

KindaWorking
Path Finder

I have a table that shows something like this:

Site X          V 1.1
                V 1.2
                V 1.3

Site Y          V 1.3

Site Z          V 1.2

I want an alert to show me when a site has multiple versions. I cannot not quite get my search correct.

The search I am currently using:

| dbquery "SQLDB" "SELECT * FROM TABLE WHERE StatusType="Version" ORDER BY SITES"|Stats values(StatusValue) by SITES
Tags (3)
0 Karma
1 Solution

musskopf
Builder

Assuming the table above you have the columns: siteName and siteVersion, and assuming the siteVersion is a multi-value field you could use the function mvcount. Something like that:

... <YOUR SEARCH> | where mvcount(siteVersion) > 1

That would list only sites with multiple versions, so you could setup your alert based on that.

ps.: I've assumed lots of things as there was no much information provided.

View solution in original post

musskopf
Builder

Assuming the table above you have the columns: siteName and siteVersion, and assuming the siteVersion is a multi-value field you could use the function mvcount. Something like that:

... <YOUR SEARCH> | where mvcount(siteVersion) > 1

That would list only sites with multiple versions, so you could setup your alert based on that.

ps.: I've assumed lots of things as there was no much information provided.

KindaWorking
Path Finder

Sorry about being so vague. I have updated my question to include the search string I am using. I am going to try to incorporate the mcvount into my search and see how I go.

0 Karma

musskopf
Builder

It should work, as the values function you're using will produce a multi-value field. I would only suggest to rename it, like:

... | stats values(StatusValue) AS siteVersion by SITES | where mvcount(siteVersion) > 1

KindaWorking
Path Finder

You are my hero!
That works perfectly.

ppablo
Retired

Hi @KindaWorking

Can you share the actual search you're using so users can see how you're generating your current results and how they can edit it to help you?

0 Karma

KindaWorking
Path Finder

Sorry about that. Added it in.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...