topic Re: How to use the value of a dynamic threshold constructed as a result of a search to create a alert ? in Splunk Search

How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

vallurupallic — Mon, 15 Jul 2019 20:44:10 GMT

The following splunk search is what I'm using to construct the dynamic threshold of a alert I want to create:

sourcetype=my_sourceearliest=-28d 
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5) 
| bucket _time span=1d
| stats count by _time 
| stats avg(count) as dynThreshold | eval dynThreshold=(1.3*dynThreshold)

Now I want to create a alert where the result count is greater than the dynThreshold value constructed above. can someone help with this please.

Re: How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

adonio — Tue, 16 Jul 2019 00:11:27 GMT

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

Re: How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

vallurupallic — Tue, 16 Jul 2019 14:44:33 GMT

im trying to substitute the use of random value above with the search query result set. But im not able to find any results. I tried the search query just after gentimes as gentimes need to be the first command. can you help please

Re: How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

adonio — Wed, 30 Sep 2020 01:19:15 GMT

the | gentimes is an example
use your search

Re: How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

vallurupallic — Tue, 16 Jul 2019 15:06:20 GMT

That worked. Thank you.