Solved: Alert on changed ratio between 2 different events?

andyk · ‎04-19-2012

I have events coming in that has a field called status_id. This field contains the values OK or ERROR. If I look at the last five minutes it's ok to have a ratio of 20% Errors and 80% events with status_id="OK".

How can I be alerted if the ratio changes to 50% Errors and 50% OK in next 5 minutes?

The total number of events during a 5 minutes period, can be between 20 and 200 depending on the time of the day.

kristian_kolb · ‎04-19-2012

Try this;

sourcetype=your_sourcetype earliest=-5m | stats c AS Total c(eval(status_id="OK")) AS Good c(eval(status_id="ERROR")) AS Bad | eval bad_ratio = Bad/Total

Then set the search to run every 5 minutes, and alert on Custom Condition;

search bad_ratio > 0.25

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-19-2012

Try this;

sourcetype=your_sourcetype earliest=-5m | stats c AS Total c(eval(status_id="OK")) AS Good c(eval(status_id="ERROR")) AS Bad | eval bad_ratio = Bad/Total

Then set the search to run every 5 minutes, and alert on Custom Condition;

search bad_ratio > 0.25

Hope this helps,

Kristian

Alert on changed ratio between 2 different events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation