topic Re: How to create an alert on traffic drop Deviation? in Splunk Enterprise

How to create an alert on traffic drop Deviation?

shashank_24 — Mon, 05 Sep 2022 22:20:05 GMT

Hi, I want to create an alert on traffic drop deviation. Something like if the traffic drop by 50% than what was it in last hour or if the traffic drops to zero, then I want the alert triggered.

Creating alert on 0 traffic is easy but that could give false positives as well so I am trying to find a way to alert only if there is a significant deviation.

Is that possible? I have this query at the moment which looks into the incoming requests. I can run the alert every 15 or 30 minutes and want to trigger if there is a deviation.

index=myapp_prod "message.logPoint"=INCOMING_REQUEST | timechart span=30m count

Best Regards,
Shashank

Re: Alert on traffic drop Deviation

ITWhisperer — Mon, 05 Sep 2022 11:27:48 GMT

index=myapp_prod "message.logPoint"=INCOMING_REQUEST | timechart span=30m count | streamstats window=1 current=f values(count) as previous | where count / previous < 0.5

Re: How to create an alert on traffic drop Deviation?

shashank_24 — Tue, 06 Sep 2022 08:46:41 GMT

@ITWhisperer This was perfect. Everything I needed. Thanks for the help. 🙂

Just one more thing, Is there a way to compare that with same time frame but from last week? For example 10:00 today Thursday with 10:00 Thursday last week?

Re: How to create an alert on traffic drop Deviation?

ITWhisperer — Tue, 06 Sep 2022 09:15:14 GMT

There is a timewrap command for this sort of thing.