Alerting

help with creating an alert when a field value changes

vrmandadi
Builder

Hello All ,

I have a field called version which has values 1,2 etc for each different field "collection" .Now I want to create an alert whenever the version value changes (always goes higher) from 1 to 2 or 2 to 3 .Once the value changes the new events will have the new version value .

For instance for collection A the version is 1 ..in future if that value changes to 2 then the new data will have value 2 and so on

SAMPLE EVENT

{"fileName":"Bggg","id":"5d0d78","isChained":false,"metaInfo":{"author":"","copyright":"","description":"","name":"lin","noOutputFilesMessage":"","outputMessage":"","url":"","urlText":""},"packageType":1,"public":false,"runCount":4,"runDisabled":false,"subscriptionId":"5d013c84d3c465","uploadDate":"\/Date(1583943892366)\/","version":null,"workerTag":"","collections":[{"collectionId":"5dc909225c9e1a89","collectionName":"A"}],"lastRunDate":"\/Date(1583948946000-0400)\/","publishedVersionId":"5e6910d3fa3a841ee8000611","publishedVersionNumber":2,"publishedVersionOwner":{"active":true,"email":"aacom","firstName":"ha","id":"5d0136be14d3c398","lastName":"gi","sId":null,"subscriptionId":"5d0136be17c395"},"subscriptionName":"u"}

Thanks in Advance

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ vrmandadi,
at first you have to extract the two files using a regex like this:

collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)

that you can test at https://regex101.com/r/bTPcVJ/1

then you can run a search like this:

index=your_index
| rex "collectionName\":\"(?<collectionName>[^\"]+)".*publishedVersionNumber\":(?<publishedVersionNumber>[^,]+)"
| stats dc(publishedVersionNumber) AS number_of_versions values(publishedVersionNumber) AS publishedVersionNumber BY collectionName

Now you can create an alert adding to the end the row:

| where number_of_versions>1

or display the search in a panel as is.

Ciao.
Giuseppe

0 Karma

vrmandadi
Builder

Thank your response.This is not what I am looking for the version which changed from 1 to 2 in future will change to 3 ...SO the where clause needs to change everytime .I am looking for something like a compare thing which checks the version of a particular collect previously and check with latest and then generate an alert when there is a change

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ vrmandadi,
sorry, I wasn't clear: using this search you don't search if the version of a collectionName has a value greather than 1 but you search if, in the monitoring period, there are two or more different versions for each of them, infact in the number_of_versions field there's ne number of different versions that you have using the distinct_count funtion.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...