I am running a scanner that runs on hundreds of websites and provides a numerical score. Using autoregress, I compare the score against the last score. If it has changed since the last run, I mark A11y_changed to True. See below:
host="accessibility-scanner.foo.com" source="/var/log/lighthouse/lighthouse.log" sourcetype=lighthouse requestedUrl=*
| sort requestedUrl, _time
| dedup 2 requestedUrl
| reverse
| autoregress total__accessibility_score AS old_a11y_score p=1
| eval a11y_changed = if(total__accessibility_score!=old_a11y_score,"True","False")
| reverse
| dedup requestedUrl
| table _time requestedUrl total__accessibility_score old_a11y_score a11y_changed
I want to run the alert on Trigger Condition of a11y_changed="True" using "For each result"... meaning run the alert on each row of the table.
The documentation says an alert can only be 'Evaluated against the results of the base search.' SO, I won't have access to my calculated True/False field.
How do I set an alert on a calculated field that cannot be found in a base search?
Admittedly I'm still pretty new to Splunk... but, I think my albeit convoluted search is the only way I can get to the results I need into one row each. I'm tracking hundreds of sites. I can't make an alert for each one.
... View more