https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635253#M220704 <P>I tuning a bit, but BIG thanks for the concept!</P><P>index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps<BR />| timechart fixedrange=t span=1m limit=5 sum(events) by series<BR />| untable _time series count<BR />| sort _time 0 series<BR />| streamstats current=t time_window=5m count(eval(count&gt;X)) as rollingHighCount by series<BR />| where rollingHighCount=5</P> Tue, 21 Mar 2023 08:44:06 GMT norbertt911 2023-03-21T08:44:06Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635137#M220668 <P>Hello Splunkers,</P> <P>I would like to have to set an alert if a sudden high amount of events are received.&nbsp;</P> <P>I have this base search:</P> <P>index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps<BR />| timechart fixedrange=t span=1m limit=5 sum(events) by series</P> <P>So I have the number of events by a source per minute.&nbsp; I like to trigger an alert if there are more than X events in 5 consecutive minutes from one source.</P> <P>Thanks for your hints in advance</P> Mon, 20 Mar 2023 21:59:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635137#M220668 norbertt911 2023-03-20T21:59:28Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635154#M220674 <P>Based on your search, schedule your report to run every minute using earliest=-5m@m and latest=@m</P><LI-CODE lang="markup">| bin _time span=1m | stats sum(events) as events by _time series | where events &gt; X | stats count by series | where count == 5</LI-CODE> Mon, 20 Mar 2023 15:08:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635154#M220674 ITWhisperer 2023-03-20T15:08:05Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635159#M220677 <P>Hi,</P><P>This returns with a strange result. (If I do not remove the | timechart... line from the original search, there is no result.) But, then the result somehow not including my firewalls, where the event per minute is over 100000...</P><P>Running this every 5 minutes will show the "top list" of the series in that five minutes, but I really looking for the peaks. Running my original search every 3 hours will show the peaks pretty well:&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="norbertt911_0-1679326501773.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24382i20784AC9CAA8F9AE/image-size/medium?v=v2&amp;px=400" role="button" title="norbertt911_0-1679326501773.png" alt="norbertt911_0-1679326501773.png" /></span></P><P>But I want to have an email alert in case the events per minute go over a limit. For example, if the "normal" is 100000/min, but then it goes up 250000/min and then back to 100000/min that's OK I do not want to have an alert. But if it stays on the 250000/min level (that is set as X) for more than 5 minutes continuously, I would like to have the alert. ( and I check the behavior later)</P><P>&nbsp;</P> Mon, 20 Mar 2023 15:45:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635159#M220677 norbertt911 2023-03-20T15:45:44Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635162#M220678 <P>"Strange" while colourful is not particularly descriptive. Without knowledge of your events, and based on what you appear to have been using e.g. events holds some sort of count, summing those counts every minute for the past 5 minutes (by series - whatever that is from your events) would give you totals for each of the 5 minutes. By counting the number of stats events with totals above your threshold would give you the number of minutes each series breached your threshold in the last 5 minutes. Is this not what you were trying to find out? If not, please provide example events and/or a clearer explanation of what you have tried, what you got as a result, and why it is not what you were after.</P> Mon, 20 Mar 2023 16:05:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635162#M220678 ITWhisperer 2023-03-20T16:05:55Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635199#M220692 <P>Try something like this</P><LI-CODE lang="markup">index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series | untable _time series count | sort 0 series _time | streamstats current=t window=5 count(eval(count&gt;X)) as rollingHighCount by series | where rollingHighCount=5</LI-CODE><P>&nbsp;Replace the X in streamstats command with your number.&nbsp;</P> Mon, 20 Mar 2023 20:14:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635199#M220692 somesoni2 2023-03-20T20:14:50Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635207#M220693 <P>I mean with the "strange", that your search returns totally different results than my search <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>My goal is: to monitor the number of events per series per minute - the flow itself.&nbsp; On top of that if there is a&nbsp; peak, like 3-4x more events per minute than usual for a longer period (5-10 minutes), raise an alert. This suddenly increased traffic on network devices/firewalls could be a good indicator of an attack or some issue.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 20 Mar 2023 21:22:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635207#M220693 norbertt911 2023-03-20T21:22:10Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635219#M220695 <P>Apart from counting per minute and then counting how many minutes are over the threshold, you could look at the Machine Learning ToolKit (MLTK) from SplunkBase, which is quite good for building models of normal patterns and detecting anomalies - which is essentially what you are trying to do.</P> Mon, 20 Mar 2023 23:04:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635219#M220695 ITWhisperer 2023-03-20T23:04:23Z https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635253#M220704 <P>I tuning a bit, but BIG thanks for the concept!</P><P>index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps<BR />| timechart fixedrange=t span=1m limit=5 sum(events) by series<BR />| untable _time series count<BR />| sort _time 0 series<BR />| streamstats current=t time_window=5m count(eval(count&gt;X)) as rollingHighCount by series<BR />| where rollingHighCount=5</P> Tue, 21 Mar 2023 08:44:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-an-alert-for-high-amount-of-events/m-p/635253#M220704 norbertt911 2023-03-21T08:44:06Z