topic Re: Alert if number of events by user is doubled by the average of last month of the same user in Alerting

Alert if number of events by user is doubled by the average of last month of the same user

gutter — Mon, 25 Jul 2016 15:02:43 GMT

I have a search that returns the number of events of every user (count by user).
I'd like to generate an alert if the number of events in one day is the double of the average of events generated in the last month by this user. It should apply to every user 😛

Thanks in advance!

Re: Alert if number of events by user is doubled by the average of last month of the same user

sundareshr — Mon, 25 Jul 2016 17:11:06 GMT

Try this. Set your alert if count>0

index=yourindexname sourcetype=yoursourcetype earliest=-30d@d | eventstats avg(count) as month_avg by user | where _time>=relative_time(now(), "@d") | stats count max(month_avg) as user_avg by user | where count>= user_avg*2

Re: Alert if number of events by user is doubled by the average of last month of the same user

somesoni2 — Mon, 25 Jul 2016 17:20:11 GMT

Give this a try

your base search (earliest=-1mon@mon latest=@mon) OR (earliest=@d latest=now) | eval period=if(_time<relative_time(now(),"@mon"),"LastMon","Today") | bucket span=1d _time | stats count by user type _time | chart avg(count) over user by type | where LastMon*2<Today

Re: Alert if number of events by user is doubled by the average of last month of the same user

gutter — Fri, 29 Jul 2016 13:16:29 GMT

Hi,

Thanks for the answers, but seems it doesn't work or i'm missing something, the search return 0 events:

eventtype=outgoing earliest=-30d@d | eventstats avg(count) as month_avg by user | where _time>=relative_time(now(), "@d") | stats count max(month_avg) as user_avg by user | where count>= user_avg*2

I tried also first to display only the average events for one specific user, with the following search:

eventtype=outgoing earliest=-30d@d | eventstats avg(count) as month_avg by user

But I'm not able to see this average value anywhere (as a field or in statistics, etc.)

Thanks in advance.

Re: Alert if number of events by user is doubled by the average of last month of the same user

gutter — Tue, 29 Sep 2020 10:26:22 GMT

Hi,

Thanks for the answers, but seems it doesn't work or i'm missing something, the search return 0 events:

eventtype=outgoing earliest=-30d@d | eventstats avg(count) as month_avg by user | where _time>=relative_time(now(), "@d") | stats count max(month_avg) as user_avg by user | where count>= user_avg*2

I tried also first to display only the average events for one specific user, with the following search:

eventtype=outgoing earliest=-30d@d | eventstats avg(count) as month_avg by user

But I'm not able to see this average value anywhere (as a field or in statistics, etc.)

Thanks in advance.

Re: Alert if number of events by user is doubled by the average of last month of the same user

sundareshr — Fri, 29 Jul 2016 15:49:41 GMT

Try this

eventtype=outgoing earliest=-30d@d | bin span=1d _time | eventstats count as daily_ct by user _time | where _time>=relative_time(now(), "@d") | stats count avg(daily_ct ) as user_avg by user | where count>= user_avg*2

Re: Alert if number of events by user is doubled by the average of last month of the same user

ppablo — Thu, 04 Aug 2016 19:55:35 GMT

Apologies @sundareshr @gutter if you got a notification that the answer was accepted. I accidentally clicked "Accept", but was going to edit the search formatting in the comment.

Re: Alert if number of events by user is doubled by the average of last month of the same user

gutter — Tue, 29 Sep 2020 10:41:14 GMT

Hi,

I've tried with this search, for example:

eventtype=outgoing earliest=-120d@d | stats count as diary by date_mday,Remitent| stats avg(diary) as average_diary by Remitent where diary>2*average_diary

but if gives no results, where it should return...

This query: eventtype=outgoing earliest=-120d@d | stats count as diary by date_mday,Remitent
returns all the events for every user by every day

And this query: eventtype=outgoing earliest=-120d@d | stats count as diary by date_mday,Remitent| stats avg(diary) as median_diary by Remitent returns the average by every user.

Now, when I put the "where" condition, it returns 0 events (it should return some...)

What I'm missing?...

Thanks in advance.

Re: Alert if number of events by user is doubled by the average of last month of the same user

sundareshr — Tue, 16 Aug 2016 13:35:20 GMT

My bad. Try thsi updated query

eventtype=outgoing earliest=-30d@d | bin span=1mon _time | eventstats count as month_cnt by _time user | eventstats avg(month_cnt) as month_avg by _time user | where _time>=relative_time(now(), "@d") | stats count max(month_avg) as user_avg by user | where count>= user_avg*2

Re: Alert if number of events by user is doubled by the average of last month of the same user

gutter — Tue, 29 Sep 2020 10:39:15 GMT

Hi sundareshr,

It works, but without the "where _time>=relative_time(now(), "@d")" condition...

Thanks.