https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193319#M55633 <P>Amazing answer as always. Only thing here to change is the search time range. earliest=-8d would give today vs last 7 days data volume, not specifically for today vs prior week (well on monday it will be today vs prior week). </P> <P>My suggestion would be to replace <CODE>"earliest=-8d</CODE>" with " <CODE>((earliest=@d ) OR (earliest=-1w@w1 latest=@w1))</CODE>" to capture data logged for today and prior week from Mon-Sun.</P> Fri, 16 Jan 2015 19:43:58 GMT somesoni2 2015-01-16T19:43:58Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193315#M55629 <P>Hello Everyone,</P> <P>I want to trigger an alert with a list of hosts that are sending more data compared to the Average of all hosts from the previous week.</P> <PRE><CODE>Eg: The week start from Mon-Sunday has Average(divided by 7) data per host and have added 50% threshold (to compare if its increase is more than this to triggered the alert) HostA: 10mb + 5 (50 %) HostB: 5mb + 2.5(50%) HostC: 1mb + 0.5(50%) and Yesterday the hosts status are HostA: 2mb HostB: 4mb HostC: 2mb </CODE></PRE> <P>I have this search query which will get the hosts sending data more today </P> <PRE><CODE>index=* earliest=-5m | eval esize=len(_raw) | stats count max(esize) by host, source | top host | fields - count </CODE></PRE> <P>but I don't know how to write it for the above scenario.</P> <P>Can any one help me on this.</P> <P>Thanks</P> Wed, 14 Jan 2015 11:49:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193315#M55629 snehal8 2015-01-14T11:49:08Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193316#M55630 <P>Wow - I think you are doing this the hard way. Instead of looking at the events, use the _internal index to see how much the forwarders are sending. _internal also includes the fact that the forwarders send their internal logs, but that's a pretty constant amount so you can still compute when a forwarder starts sending more than usual. Here is a search to get you started:</P> <PRE><CODE>index=_internal source=*metrics.log group=tcpin_connections earliest=-8d | eval Forwarder=if(isnull(hostname), sourceHost,hostname) | eval Today=if(_time&gt;relative_time(now(),"@d"),"Today","PriorWeek") | bucket span=1d _time | stats sum(kb) as DailyKB by Forwarder Today _time | chart avg(DailyKB) by Forwarder Today | where Today &gt; PriorWeek * 1.5 </CODE></PRE> <P>This will probably run faster than your solution too, as it will not look at nearly so many events.</P> Thu, 15 Jan 2015 20:55:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193316#M55630 lguinn2 2015-01-15T20:55:10Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193317#M55631 <P>Thank you @Anonymous, but i am not getting mean of this "Today=if(_time&gt;relative_time(now(),"@d"),"Today","PriorWeek")", in this "PriorWeek", is this predefined? please could you give me detail it will be grateful. thanks </P> Mon, 28 Sep 2020 18:41:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193317#M55631 snehal8 2020-09-28T18:41:30Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193318#M55632 <P>The <CODE>eval Today=...</CODE> statement is setting a new field called Today. If the timestamp of the event is after midnight, then the value of the field is set to "Today". If the timestamp of the event is before midnight, then the field is set to "PriorWeek". </P> <P>I should probably have named the field "TimeGroup" or something; Today is not a good field name, but it should work. At any rate, the chart command transforms the data so that there should be 2 columns in the results: one column named "Today" and one column named "PriorWeek".</P> Fri, 16 Jan 2015 19:00:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193318#M55632 lguinn2 2015-01-16T19:00:23Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193319#M55633 <P>Amazing answer as always. Only thing here to change is the search time range. earliest=-8d would give today vs last 7 days data volume, not specifically for today vs prior week (well on monday it will be today vs prior week). </P> <P>My suggestion would be to replace <CODE>"earliest=-8d</CODE>" with " <CODE>((earliest=@d ) OR (earliest=-1w@w1 latest=@w1))</CODE>" to capture data logged for today and prior week from Mon-Sun.</P> Fri, 16 Jan 2015 19:43:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193319#M55633 somesoni2 2015-01-16T19:43:58Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193320#M55634 <P>Thanks @lguinn now i understand <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Mon, 19 Jan 2015 09:32:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193320#M55634 snehal8 2015-01-19T09:32:00Z https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193321#M55635 <P>Thanks @somesoni will use this.</P> Mon, 19 Jan 2015 11:51:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-and-set-up-an-alert-displaying-hosts-that-are/m-p/193321#M55635 snehal8 2015-01-19T11:51:54Z