How to alert when a certain field changes from a v...

clairebesson · ‎08-03-2016

Hi everyone,

I want to create an alert by email when one of the fields of my index changes. I have a file with different counters with values associated (one column for the counters name and one column for the value).

I would like to be notified by email when the value of one specific counter changes.
I’ve read the documentation about real time alert, but I didn’t find anything that could help me.
Example: Let's say that I am interested in the "counter_1". If the value of counter_1 change I would like to be alerted.

Could you help me with that issue?
Thanks!

woodcock · ‎08-06-2016

Setup a search to run every X minutes and over the last X+1 minutes (where X is the same number) and search this:

... | stats dc(counter_1) AS numValues | search numValues>1

sundareshr · ‎08-03-2016

Please share couple of events. Have you extracted these columns as KV pairs? That will have to be your first step. https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf

Once you have fields extracted, you can do a search with earliest=-5m, this will alert you of any changes in the past 5 mins. Since this is an extracted field, real-time search may not work correctly.

JDukeSplunk · ‎08-03-2016

If I read you right, then counter_1 is always X. So, setup the alert to exclude expected results, like X. But if counter_1=Y, the search will return a result, and you can alert on that. So...

 basesearch NOT counter_1=expectedvalue

And then setup the alert to run at whatever interval, and alert if number of results is greater than one?

How to alert when a certain field changes from a value to another random value?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases