https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651645#M1088 <P>That's correct <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Sun, 23 Jul 2023 13:12:58 GMT Akdeveloper 2023-07-23T13:12:58Z https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651630#M1084 <P>Hi,</P><P>I am trying to setup an alert and notify by email, when count of last 3hrs is greater than rolling average of last 7 days using the below query. Query is working fine but in the alert is not working/not getting triggered I tried as below Alert Config</P><P>Trigger conditions in alert Screen are, Trigger alert when ,Custom option ,search alert==true</P><P>&nbsp;</P><P>Query:</P><P>sourcetype="cloudwatch" index=***** earliest=-6d@d latest=@d<BR />|bucket _time span=1d<BR />|stats count by _time<BR />|stats avg(count) as SevenDayAverage<BR />|appendcols [search sourcetype="cloudwatch" index=*****<BR />|stats count as IndividualCount]<BR />|eval alert = if((IndividualCount.SevenDayAverage),"true","false")<BR />SevenDayAverage IndividualCount alert<BR />5 1139 true</P> Sat, 22 Jul 2023 22:55:16 GMT https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651630#M1084 Akdeveloper 2023-07-22T22:55:16Z https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651636#M1085 <P>It is not clear what your if condition is supposed to be doing (was there a typo?), nor indeed what your search is trying to find as you seem to be trying to compare an average daily count with a 3 hour count?</P><P>Also, this is potentially going to be very slow - have you considered using metasearch or summary indexes?</P> Sun, 23 Jul 2023 07:24:08 GMT https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651636#M1085 ITWhisperer 2023-07-23T07:24:08Z https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651640#M1086 <P>Sorry there was typo,this is correct if currently,<SPAN>if((IndividualCount&gt;SevenDayAverage),"true","false").</SPAN></P><P>Reg the query I am trying to compare counts in last three hours with seven day average count,if true then alert.</P><P>I didn't tried metasearches,will give a try too</P> Sun, 23 Jul 2023 11:31:48 GMT https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651640#M1086 Akdeveloper 2023-07-23T11:31:48Z https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651641#M1087 <P>So you are trying to alert if a 3 hour count is greater than the average for a whole day over the last 6 days?</P> Sun, 23 Jul 2023 11:35:09 GMT https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651641#M1087 ITWhisperer 2023-07-23T11:35:09Z https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651645#M1088 <P>That's correct <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Sun, 23 Jul 2023 13:12:58 GMT https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651645#M1088 Akdeveloper 2023-07-23T13:12:58Z https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651647#M1089 <P>Which version of Splunk are you running as there have been problems with custom alert conditions?</P><P>A way to work around this is to add a where command to your search and then alert if there are any results e.g.:</P><LI-CODE lang="markup">| where alert="true"</LI-CODE> Sun, 23 Jul 2023 14:34:32 GMT https://community.splunk.com/t5/Other-Usage/Setting-Rolling-seven-day-average-alert-with-current-day-data/m-p/651647#M1089 ITWhisperer 2023-07-23T14:34:32Z