topic Re: Need Help with a Splunk Search in Splunk Search

Need Help with a Splunk Search and modifying thresholds based don day and time?

phularah — Mon, 24 Apr 2023 14:43:14 GMT

I am trying to modify Thresholds based on the day and time. I have the chart completed, just need help with the thresholds.
If the day is Saturday or Sunday and host is a1, Threshold should be 1, if host is a2 with same timing conditions, threshold should be 1.5 and for other remaining hosts threshold should be 0.5 with same timing conditions.

If the day is Monday-Friday, and time is between 12:00am to 12:pm, for host a1 threshold should be 3, and for same timing conditions for host a2 threshold should be 4 and for other remaining hosts threshold should be 1 with same timing conditions.

The search that I am trying is something like as shown below, but there are multiple hosts and it is not working for a single host and I need to change thresholds based on time of that particular day as well.

| eval Threshold = case (if(strftime(_time,"%a")="Sat" AND host="a1"), Threshold=1, if(strftime(_time,"%a")=Sun AND host="a1"), Threshold=1, if(strftime(_time,"%a")="Sun" AND host="a2"), Threshold=1.5, if(strftime(_time,"%a")="Sun" AND host="a2"), Threshold=1.5)

Re: Need Help with a Splunk Search

gcusello — Mon, 24 Apr 2023 09:17:23 GMT

Hi @phularah,

you could create a lookup containing the conditions and the threshold: day, host, threshold,

then you could add to you search the lookup like this following:

<your_search> | lookup thresholds.csv day host OUTPUT_threshold | ...

In this way you can easily manage all the conditions.

Ciao.

Giuseppe

Re: Need Help with a Splunk Search

phularah — Mon, 24 Apr 2023 10:42:07 GMT

I need help with case, if and strftime functions. I am doing something wrong and getting error that arguments to the if function are invalid.
I have used various permutations and combinations with strptime and strftime as well.

Also, the threshold needs to be changed depending on the time of the day.

Re: Need Help with a Splunk Search

gcusello — Mon, 24 Apr 2023 15:33:33 GMT

Hi @phularah,

you don't need to use case and if, try this:

| eval Threshold = case(strftime(_time,"%a")="Sat" AND host="a1", Threshold=1, strftime(_time,"%a")="Sun" AND host="a1", Threshold=1, strftime(_time,"%a")="Sun" AND host="a2", Threshold=1.5, strftime(_time,"%a")="Sun" AND host="a2", Threshold=1.5)

Then use always quotes for each strings.

Ciao.

Giuseppe

Re: Need Help with a Splunk Search and modifying thresholds based don day and time?

phularah — Thu, 27 Apr 2023 07:12:59 GMT

| eval Threshold = case(strftime(_time,"%a")="Sat" AND host="a1",1, strftime(_time,"%a")="Sun" AND host="a1",1, strftime(_time,"%a")="Sun" AND host="a2",1.5, strftime(_time,"%a")="Sun" AND host="a2",1.5) It worked. Thanks gcusello.