https://community.splunk.com/t5/Alerting/Alert-based-on-evaluating-two-time-ranges/m-p/53114#M720 <P>In the TimeRangePicker, choose 'custom time', then go to 'advanced'. </P> <P>Enter the following as your timerange. </P> <P>earliest = <CODE>-20min@min</CODE></P> <P>latest = <CODE>-10min@min</CODE></P> <P>And here's a search that will work: </P> <P><CODE>&lt;your search terms&gt; | eval period=if(_time&lt;relative_time(now(), "-15min@min"),"older_period", "recent_period") | eval foo=1 | chart avg(field1) over foo by period | eval diff = (recent_period-older_period)*100/older_period | where diff&gt;X</CODE></P> <P>Then save the search, click the 'schedule this search' box, and tell splunkd that if the search returns 1 or more rows, that you want it to send you an email. </P> <P>here's another different search that will work too, although you have to use the same timerange</P> <P><CODE>&lt;your search terms&gt; | timechart avg(field1) as avg span=5min | transpose | search column=avg | rename "row 1" as "older_period" | rename "row 2" as "recent_period" | eval diff = (recent_period-older_period)*100/older_period | where diff&gt;X</CODE></P> Thu, 03 Mar 2011 15:50:49 GMT sideview 2011-03-03T15:50:49Z https://community.splunk.com/t5/Alerting/Alert-based-on-evaluating-two-time-ranges/m-p/53113#M719 <P>I am trying to send alerts based on the following criteria:</P> <P>Last 15-20 mins: Measure avg(field1) --&gt; value1 Last 10-15 mins: Measure avg(field1) --&gt; value2</P> <P>Calculate the % change between value1 and value2:</P> <P>diff = (value2-value1)*100/value1</P> <P>If diff is more than X percent than I need to send an alert notification.</P> <P>How can I do this in one search command?</P> Thu, 03 Mar 2011 14:30:52 GMT https://community.splunk.com/t5/Alerting/Alert-based-on-evaluating-two-time-ranges/m-p/53113#M719 nbharadwaj 2011-03-03T14:30:52Z https://community.splunk.com/t5/Alerting/Alert-based-on-evaluating-two-time-ranges/m-p/53114#M720 <P>In the TimeRangePicker, choose 'custom time', then go to 'advanced'. </P> <P>Enter the following as your timerange. </P> <P>earliest = <CODE>-20min@min</CODE></P> <P>latest = <CODE>-10min@min</CODE></P> <P>And here's a search that will work: </P> <P><CODE>&lt;your search terms&gt; | eval period=if(_time&lt;relative_time(now(), "-15min@min"),"older_period", "recent_period") | eval foo=1 | chart avg(field1) over foo by period | eval diff = (recent_period-older_period)*100/older_period | where diff&gt;X</CODE></P> <P>Then save the search, click the 'schedule this search' box, and tell splunkd that if the search returns 1 or more rows, that you want it to send you an email. </P> <P>here's another different search that will work too, although you have to use the same timerange</P> <P><CODE>&lt;your search terms&gt; | timechart avg(field1) as avg span=5min | transpose | search column=avg | rename "row 1" as "older_period" | rename "row 2" as "recent_period" | eval diff = (recent_period-older_period)*100/older_period | where diff&gt;X</CODE></P> Thu, 03 Mar 2011 15:50:49 GMT https://community.splunk.com/t5/Alerting/Alert-based-on-evaluating-two-time-ranges/m-p/53114#M720 sideview 2011-03-03T15:50:49Z