Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alert Setup - Based on percentages

kragav
New Member
‎09-16-2011 04:23 AM

Hi 'am trying to setup an alert to trigger based on percentage. But couldn't find the options for the same. Please could you assist me.

For eg:

An alert should trigger if the failure event >=5% of the total events.

Total events = 100
Failure events = 6
Success events = 94

In above case, an alert should be triggered since the failure event is >=5%.

Tags (1)
0 Karma
Reply

borisalves
Path Finder
‎09-23-2011 04:58 PM

Here is my illustration

I create 2 tags

Bad_End totalParts=0, totalParts=1

Good_End totalParts=2, totalParts=3, totalParts=4

Executing this search on my filtered target

| top tag::totalParts

Returns:

tag::totalParts count percent

1 Bad_End 34 1.816239

2 Good_End 1838 98.183761

I would like to Alert based on Good_End being smaller than 97%

I saved the search and would like assistance with the Custom Conditional search expression that would trigger and Alert.

0 Karma
Reply

Drainy
Champion
‎09-16-2011 04:58 AM 
 | eval percentage=((failureevents/successevents)*100) | where percentage>=5

If you could paste some example data it would be easier to give a more accurate answer 🙂
The above is roughly what you want to be doing to produce a percentage that you could perform an alert on

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...