Alert Setup - Based on percentages

kragav · ‎09-16-2011

Hi 'am trying to setup an alert to trigger based on percentage. But couldn't find the options for the same. Please could you assist me.

For eg:

An alert should trigger if the failure event >=5% of the total events.

Total events = 100
Failure events = 6
Success events = 94

In above case, an alert should be triggered since the failure event is >=5%.

borisalves · ‎09-23-2011

Here is my illustration

I create 2 tags

Bad_End totalParts=0, totalParts=1

Good_End totalParts=2, totalParts=3, totalParts=4

Executing this search on my filtered target

| top tag::totalParts

Returns:

tag::totalParts count percent

1 Bad_End 34 1.816239

2 Good_End 1838 98.183761

I would like to Alert based on Good_End being smaller than 97%

I saved the search and would like assistance with the Custom Conditional search expression that would trigger and Alert.

Drainy · ‎09-16-2011

 | eval percentage=((failureevents/successevents)*100) | where percentage>=5

If you could paste some example data it would be easier to give a more accurate answer 🙂
The above is roughly what you want to be doing to produce a percentage that you could perform an alert on

Alert Setup - Based on percentages

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash