Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert based on evaluating two time ranges

nbharadwaj
Path Finder
‎03-03-2011 06:30 AM

I am trying to send alerts based on the following criteria:

Last 15-20 mins: Measure avg(field1) --> value1 Last 10-15 mins: Measure avg(field1) --> value2

Calculate the % change between value1 and value2:

diff = (value2-value1)*100/value1

If diff is more than X percent than I need to send an alert notification.

How can I do this in one search command?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 07:50 AM

In the TimeRangePicker, choose 'custom time', then go to 'advanced'.

Enter the following as your timerange.

earliest = -20min@min

latest = -10min@min

And here's a search that will work:

<your search terms> | eval period=if(_time<relative_time(now(), "-15min@min"),"older_period", "recent_period") | eval foo=1 | chart avg(field1) over foo by period | eval diff = (recent_period-older_period)*100/older_period | where diff>X

Then save the search, click the 'schedule this search' box, and tell splunkd that if the search returns 1 or more rows, that you want it to send you an email.

here's another different search that will work too, although you have to use the same timerange

<your search terms> | timechart avg(field1) as avg span=5min | transpose | search column=avg | rename "row 1" as "older_period" | rename "row 2" as "recent_period" | eval diff = (recent_period-older_period)*100/older_period | where diff>X

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 07:50 AM

In the TimeRangePicker, choose 'custom time', then go to 'advanced'.

Enter the following as your timerange.

earliest = -20min@min

latest = -10min@min

And here's a search that will work:

<your search terms> | eval period=if(_time<relative_time(now(), "-15min@min"),"older_period", "recent_period") | eval foo=1 | chart avg(field1) over foo by period | eval diff = (recent_period-older_period)*100/older_period | where diff>X

Then save the search, click the 'schedule this search' box, and tell splunkd that if the search returns 1 or more rows, that you want it to send you an email.

here's another different search that will work too, although you have to use the same timerange

<your search terms> | timechart avg(field1) as avg span=5min | transpose | search column=avg | rename "row 1" as "older_period" | rename "row 2" as "recent_period" | eval diff = (recent_period-older_period)*100/older_period | where diff>X

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...