Alerting

how to create an alert if there is change in the field value

vrmandadi
Builder

Hello All ,

I have a field called component with values A,B,C,D. Now I want to alert if there is a new value coming in for instance E .then I need to alert with the new value showing

Thanks in advance

0 Karma
1 Solution

vrmandadi
Builder

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"

View solution in original post

0 Karma

vrmandadi
Builder

I have done something like this and schedule to run every 15 minutes

| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName 
| eval Match = if(v1=v2, "Match", "No Match") 
| search Match="No Match"
0 Karma

woodcock
Esteemed Legend

If this works, then you should convert your comment to an answer and click accept.

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats dc(component) AS component_count values(component) AS components BY other fields here like host
| where component_count>1
0 Karma

woodcock
Esteemed Legend

Your description is very unclear but maybe this:

... | streamstats dc(component) AS component_count values(component) AS components
| streamstats current=f last(component_count) AS prev_component_count last(components) AS prev_components
| where component_count > prev_component_count
0 Karma

vrmandadi
Builder

Apologies @woodcock for the unclear description . I have field called component which has values=1 ,2, 3 etc ..these values change when user logs in and makes some changes .The value might increase or decrease . For instance component test currently has value 1 but after 30 minutes the value might change to 3 .In another 30 minites it might change to 2. I want to generate an alert for each particular component whenever there is a change in its value .I hope this gives a clear idea

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats count min(_time) AS _time BY component
| search component="E"
0 Karma

vrmandadi
Builder

Thanks for you reply .The component value keeps changing , so I am looking something like comparison for last 30 minutes with latest and see if there is a change than send an alert along with the new value

0 Karma

to4kawa
Ultra Champion
....
search E

fire alert with $result.component$

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...