https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486550#M59858 <PRE><CODE>|sort _time # this to make it easier for the application team to read the logs when they open the alert so that all the events are in ascending order. |bin _time span = 16m | stats count by host _time |Where count &gt; 7 # Yeah Should be 7 |Eval count = count *2 # only to display the number of minutes the value was above the threshold | rename count AS "Minutes Over Threshold" host as Host </CODE></PRE> Tue, 19 Nov 2019 13:19:56 GMT omprakash9998 2019-11-19T13:19:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486547#M59855 <P>Hi, </P> <P>I have an event being received once every 2 minutes. I am trying to setup an alert if the Value for the event goes beyond certain threshold for 15 mins or more. I am using the below query. </P> <PRE><CODE>index= x host = y |Where Value &gt; Threshold |sort _time |bin _time span = 16m | stats count by host _time |Where count &gt; 6 |Eval count = count *2 </CODE></PRE> <P>Does the above code need any changes to work. <BR /> Thanks in advance</P> Mon, 18 Nov 2019 18:30:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486547#M59855 omprakash9998 2019-11-18T18:30:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486548#M59856 <P>Some minor edits:</P> <P>index= x host = y Value &gt; Threshold <CODE># moved Value &gt; Threshold up, you also probably want to filter to a very specific set of logs</CODE><BR /> |sort _time <CODE># why do you need the sort? Logs are already sorted _time descending by default</CODE><BR /> | bin _time span = 16m<BR /> | stats count by host, _time <CODE># added a comma for readability</CODE><BR /> |where count &gt; 7 <CODE># shouldn't this be 7? you'd want all 8 2 minute chunks to be above the threshold</CODE><BR /> |eval count = count *2 <CODE># why do you need this line?</CODE></P> <P>There are some other ways to do this (grabbing the earliest time of exceeded value, latest time, taking the diff). I would also urge you to get comfortable testing your alerts, in this case by lowering the threshold and seeing if, for example, a threshold of 0 returns the complete result set of all the hosts you would expect to see.</P> <P>Hope this helps!</P> Mon, 18 Nov 2019 20:21:18 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486548#M59856 aberkow 2019-11-18T20:21:18Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486549#M59857 <P>Thank you for the help. <BR /> How would i go about grabbing the earliest time of exceeded Value and the latest time for the exceeded value and taking the difference.<BR /> thank you</P> Tue, 19 Nov 2019 13:14:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486549#M59857 omprakash9998 2019-11-19T13:14:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486550#M59858 <PRE><CODE>|sort _time # this to make it easier for the application team to read the logs when they open the alert so that all the events are in ascending order. |bin _time span = 16m | stats count by host _time |Where count &gt; 7 # Yeah Should be 7 |Eval count = count *2 # only to display the number of minutes the value was above the threshold | rename count AS "Minutes Over Threshold" host as Host </CODE></PRE> Tue, 19 Nov 2019 13:19:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Alert-if-Value-over-threshold-for-a-certain-period-of-time/m-p/486550#M59858 omprakash9998 2019-11-19T13:19:56Z