Solved: Alert on changed ratio between 2 different events?

andyk · ‎04-19-2012

I have events coming in that has a field called status_id. This field contains the values OK or ERROR. If I look at the last five minutes it's ok to have a ratio of 20% Errors and 80% events with status_id="OK".

How can I be alerted if the ratio changes to 50% Errors and 50% OK in next 5 minutes?

The total number of events during a 5 minutes period, can be between 20 and 200 depending on the time of the day.

kristian_kolb · ‎04-19-2012

Try this;

sourcetype=your_sourcetype earliest=-5m | stats c AS Total c(eval(status_id="OK")) AS Good c(eval(status_id="ERROR")) AS Bad | eval bad_ratio = Bad/Total

Then set the search to run every 5 minutes, and alert on Custom Condition;

search bad_ratio > 0.25

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-19-2012

Try this;

sourcetype=your_sourcetype earliest=-5m | stats c AS Total c(eval(status_id="OK")) AS Good c(eval(status_id="ERROR")) AS Bad | eval bad_ratio = Bad/Total

Then set the search to run every 5 minutes, and alert on Custom Condition;

search bad_ratio > 0.25

Hope this helps,

Kristian

Alert on changed ratio between 2 different events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation