https://community.splunk.com/t5/Alerting/Trigger-alert-on-value-from-predict-calculation/m-p/488830#M8664 <P>Right, eventually found something that works for me. Not sure if it is the best way but it does work. Below is the query to get the result shown above. </P> <P>I simply added in the alert the line<BR /> <STRONG>| search Prediction &lt; 2000</STRONG><BR /> Just above the last one where I removed the fields I don't want to see. The result is two dates in the future. the 11th and the 12th of April. So it works and returns the dates to focus on. </P> <P>For the alert itself the end result needs to be cleaned up but it does what I need.</P> <PRE><CODE>index=xxxxx host=xxxxx source="Perfmon:Memory" counter="Available MBytes" | eval Value=round(Value,0) | timechart span=1d avg(Value) as "Available MBytes", latest(host) as host, latest(counter) as counter partial=false | lookup resource_thresholds.csv resource_name AS host, resource_metric AS counter OUTPUTNEW resource_threshold_warning,resource_threshold_critical | eval Warning=resource_threshold_warning | eval Critical=resource_threshold_critical | predict "Available MBytes" as Prediction future_timespan=14 | eval Prediction = round(Prediction,0) | fields - lower95(Prediction), upper95(Prediction) resource_threshold_warning resource_threshold_critical host counter </CODE></PRE> Mon, 30 Mar 2020 12:36:47 GMT wbolten 2020-03-30T12:36:47Z https://community.splunk.com/t5/Alerting/Trigger-alert-on-value-from-predict-calculation/m-p/488829#M8663 <P>Hi,</P> <P>I am trying to build an alert from the following query. The query collects the counters for memory usage, especially the free amount. It plots a time chart of the last 21 days and performs a prediction over the coming 14 days. The graph itself is perfect. It also shows in the prediction that in the next 14 days we run out of memory. </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8507i4EA48F22DB2005E9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <PRE><CODE>index=xxxxx host=xxxxx source="Perfmon:Memory" counter="Available MBytes" | eval Value=(Value/1024) | timechart span=1d avg(Value) as "Available MBytes", latest(host) as host, latest(counter) as counter | lookup resource_thresholds.csv resource_name AS host, resource_metric AS counter OUTPUTNEW resource_threshold_warning,resource_threshold_critical | eval Warning=resource_threshold_warning | eval Critical=resource_threshold_critical | predict "Available MBytes" as Prediction future_timespan=14 | eval Prediction = round(Prediction,0) | fields - lower95(Prediction), upper95(Prediction) resource_threshold_warning resource_threshold_critical host counter </CODE></PRE> <P>I want to run this as a scheduled alert (email, MS Teams) every night and be informed when the prediction hits 0 or lower somewhere in the future 14 days in this case. </P> <P>For some reason I cannot seem to get my head around the logic here to trigger the alert. Any suggestions? </P> Mon, 09 Mar 2020 09:45:54 GMT https://community.splunk.com/t5/Alerting/Trigger-alert-on-value-from-predict-calculation/m-p/488829#M8663 wbolten 2020-03-09T09:45:54Z https://community.splunk.com/t5/Alerting/Trigger-alert-on-value-from-predict-calculation/m-p/488830#M8664 <P>Right, eventually found something that works for me. Not sure if it is the best way but it does work. Below is the query to get the result shown above. </P> <P>I simply added in the alert the line<BR /> <STRONG>| search Prediction &lt; 2000</STRONG><BR /> Just above the last one where I removed the fields I don't want to see. The result is two dates in the future. the 11th and the 12th of April. So it works and returns the dates to focus on. </P> <P>For the alert itself the end result needs to be cleaned up but it does what I need.</P> <PRE><CODE>index=xxxxx host=xxxxx source="Perfmon:Memory" counter="Available MBytes" | eval Value=round(Value,0) | timechart span=1d avg(Value) as "Available MBytes", latest(host) as host, latest(counter) as counter partial=false | lookup resource_thresholds.csv resource_name AS host, resource_metric AS counter OUTPUTNEW resource_threshold_warning,resource_threshold_critical | eval Warning=resource_threshold_warning | eval Critical=resource_threshold_critical | predict "Available MBytes" as Prediction future_timespan=14 | eval Prediction = round(Prediction,0) | fields - lower95(Prediction), upper95(Prediction) resource_threshold_warning resource_threshold_critical host counter </CODE></PRE> Mon, 30 Mar 2020 12:36:47 GMT https://community.splunk.com/t5/Alerting/Trigger-alert-on-value-from-predict-calculation/m-p/488830#M8664 wbolten 2020-03-30T12:36:47Z