topic Re: Need help to write a query using Streamstats. in Splunk Search

Need help to write a query using Streamstats.

sridharlakshman — Wed, 01 Apr 2020 15:00:37 GMT

Hi Team,

i have onboarded the Linux CPU logs using Splunk add on for linux. the requirement is , we need send an alert when we hitting the CPU utilization more 80 % and count for the continuously 3 times. Using streamstats command

input is enabled for every 1200 seconds and alert will run every 30 mintues.

Could you please help me to get the query.

Re: Need help to write a query using Streamstats.

memarshall63 — Wed, 01 Apr 2020 15:17:07 GMT

How we did that was to pull together the list of inputs and then add a streamstats like this:

| streamstats current=t window=3 values(status) AS last_three by input_name

Something like this:

index=_internal sourcetype=dbx_job_metrics 
| sort input_name _time 
| table input_name _time status
| streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name 
| search values_three != "COMPLETED"

You'll need to adjust a little to get your > 80% in there.. but that's the basics of it.

Re: Need help to write a query using Streamstats.

memarshall63 — Wed, 01 Apr 2020 15:39:28 GMT

Here's a search with numeric values - that you can look at:

index=_internal sourcetype=splunkd kb=* 
| table _time sourcetype kb 
| eval threshold = if(kb<80,"UNDER","OVER")
| streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold 
| eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","")
| eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","")

Re: Need help to write a query using Streamstats.

woodcock — Wed, 01 Apr 2020 16:03:12 GMT

Like this:

... | streamstats current=t window=3 count(eval(cpu>=80)) AS count80plus
| where count80plus==3