topic Re: Splunk alert for peak errors only in Splunk Search https://community.splunk.com/t5/Splunk-Search/Splunk-alert-for-peak-errors-only/m-p/537501#M151961 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222349">@shashank_24</a>&nbsp;</P><P>How to determine 'peak'?</P><P>There are a number of ways to look at this, but you could do a timechart and look for the count per minute rather than the total over 30 minutes, e.g.</P><LI-CODE lang="markup">index=myindex sourcetype=ssl_access_combined requested_content="/myapp*" NOT images status=50* | timechart span=1m count by status | where '500'&gt;10</LI-CODE><P>which will look at the number of 500s per minutes and only alert if there are more than 10 in a minute.</P><P>Or you could look for outliers, but this would require a bit of tuning for your your data.</P><LI-CODE lang="markup">index=myindex sourcetype=ssl_access_combined requested_content="/myapp*" NOT images status=500 | bin _time span=1m | stats count by _time | streamstats window=10 avg(count) as avg, stdev(count) as stdev | eval multiplier = 2 | eval lower_bound = avg - (stdev * multiplier) | eval upper_bound = avg + (stdev * multiplier) | eval lower_outlier = if(count &lt; lower_bound, 1, 0) | eval upper_outlier = if(count &gt; upper_bound, 1, 0) | where upper_outlier=1</LI-CODE><P>&nbsp;so this looks for any rolling 10 minute window where the average is 2 standard deviations above the average per minute. Play with the window/multipliers on your historical data to find a number that works for your data. I left the lower_outlier calc in their as an example of picking up values outside the lower bounds also.</P><P>Hope this helps.</P> Wed, 27 Jan 2021 22:08:46 GMT bowesmana 2021-01-27T22:08:46Z Splunk alert for peak errors only https://community.splunk.com/t5/Splunk-Search/Splunk-alert-for-peak-errors-only/m-p/537477#M151951 <P>Hi,&nbsp; I am working on a query to write an alert where i need to monitor few pages for 500 Errors. Now currently there are some investigations going on to fix those errors so we usually get few every 30 minutes.</P><P><SPAN>So basically at the moment not every 5xx is a problem and I know it's hard for us to see, which of those are "real problems" and which not.</SPAN></P><P><SPAN>What I want to do is something like&nbsp;adjust our thresholds in the Splunk search so that it only recognise&nbsp;peaks, which are surely something "going wrong" and then trigger the alert.</SPAN></P><P><SPAN>I have a alert like this at the moment which is triggered every 30 minutes.</SPAN></P><LI-CODE lang="markup">index=myindex sourcetype=ssl_access_combined requested_content="/myapp*" NOT images status=50* | stats count by status | where (status=500 AND count &gt; 10)</LI-CODE><P>&nbsp;</P><P>Right now it gets triggered when the count of 500 error is 10 in last 30 minutes but I don't want that as it is unnecessary flooding the mailbox.&nbsp;</P><P>Is there a way to achieve what I am required here please?</P> Wed, 27 Jan 2021 18:29:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-alert-for-peak-errors-only/m-p/537477#M151951 shashank_24 2021-01-27T18:29:24Z Re: Splunk alert for peak errors only https://community.splunk.com/t5/Splunk-Search/Splunk-alert-for-peak-errors-only/m-p/537501#M151961 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222349">@shashank_24</a>&nbsp;</P><P>How to determine 'peak'?</P><P>There are a number of ways to look at this, but you could do a timechart and look for the count per minute rather than the total over 30 minutes, e.g.</P><LI-CODE lang="markup">index=myindex sourcetype=ssl_access_combined requested_content="/myapp*" NOT images status=50* | timechart span=1m count by status | where '500'&gt;10</LI-CODE><P>which will look at the number of 500s per minutes and only alert if there are more than 10 in a minute.</P><P>Or you could look for outliers, but this would require a bit of tuning for your your data.</P><LI-CODE lang="markup">index=myindex sourcetype=ssl_access_combined requested_content="/myapp*" NOT images status=500 | bin _time span=1m | stats count by _time | streamstats window=10 avg(count) as avg, stdev(count) as stdev | eval multiplier = 2 | eval lower_bound = avg - (stdev * multiplier) | eval upper_bound = avg + (stdev * multiplier) | eval lower_outlier = if(count &lt; lower_bound, 1, 0) | eval upper_outlier = if(count &gt; upper_bound, 1, 0) | where upper_outlier=1</LI-CODE><P>&nbsp;so this looks for any rolling 10 minute window where the average is 2 standard deviations above the average per minute. Play with the window/multipliers on your historical data to find a number that works for your data. I left the lower_outlier calc in their as an example of picking up values outside the lower bounds also.</P><P>Hope this helps.</P> Wed, 27 Jan 2021 22:08:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-alert-for-peak-errors-only/m-p/537501#M151961 bowesmana 2021-01-27T22:08:46Z