Hello All ,
I have a field called component with values A,B,C,D. Now I want to alert if there is a new value coming in for instance E .then I need to alert with the new value showing
Thanks in advance
I have done something like this and schedule to run every 15 minutes
| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName
| eval Match = if(v1=v2, "Match", "No Match")
| search Match="No Match"
I have done something like this and schedule to run every 15 minutes
| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName
| eval Match = if(v1=v2, "Match", "No Match")
| search Match="No Match"
If this works, then you should convert your comment
to an answer
and click accept
.
Like this:
... | stats dc(component) AS component_count values(component) AS components BY other fields here like host
| where component_count>1
Your description is very unclear but maybe this:
... | streamstats dc(component) AS component_count values(component) AS components
| streamstats current=f last(component_count) AS prev_component_count last(components) AS prev_components
| where component_count > prev_component_count
Apologies @woodcock for the unclear description . I have field called component which has values=1 ,2, 3 etc ..these values change when user logs in and makes some changes .The value might increase or decrease . For instance component test currently has value 1 but after 30 minutes the value might change to 3 .In another 30 minites it might change to 2. I want to generate an alert for each particular component whenever there is a change in its value .I hope this gives a clear idea
Like this:
... | stats count min(_time) AS _time BY component
| search component="E"
Thanks for you reply .The component value keeps changing , so I am looking something like comparison for last 30 minutes with latest and see if there is a change than send an alert along with the new value
....
search E
fire alert with $result.component$