Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert based on meeting criteria over a certain time period

tblue
Engager
‎02-06-2014 11:55 AM

I'm trying to convert this Search into an alert

index=cj t=* earliest=-60m  | eval myfield=case(t >= .051, "Over", t <= .050, "Under") | timechart count by myfield |  eval Total=Over+Under |eval OverPerc=100*Over/Total | eval UnderPerc=100*Under/Total  | fields Total Under UnderPerc Over OverPerc

i've tried searchtimespanminutes but the output still shows in like 5 second increments.

I want to add ... |where OverPerc>= .1

But want it to be over say a 10 minute period, I want OverPerc to not exceed .1 over a given timeframe, even in real time, it should not alert if it's only matched one result, it should wait until it loads the 60 minutes or 10 minutes, or 5 minutes of data to make the match.

Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-06-2014 12:24 PM

To force your timechart into grouping larger spans of time together, change it like this:

... | timechart span=10m count by myfield | ...

In case you're getting false positives due to the clock being for example 02:00:05 and only one event occurred during those five seconds, you can add this:

... | timechart span=10m partial=f count by myfield | ...

That way buckets are discarded if the ten minute span isn't over yet.

0 Karma
Reply

tblue
Engager
‎02-06-2014 01:03 PM

BAHH, always trying to make it harder then it is.. Thanks this worked!

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...