Solved: Re: Alert on changed ratio between 2 different eve...

andyk · ‎04-19-2012

I have events coming in that has a field called status_id. This field contains the values OK or ERROR. If I look at the last five minutes it's ok to have a ratio of 20% Errors and 80% events with status_id="OK".

How can I be alerted if the ratio changes to 50% Errors and 50% OK in next 5 minutes?

The total number of events during a 5 minutes period, can be between 20 and 200 depending on the time of the day.

kristian_kolb · ‎04-19-2012

Try this;

sourcetype=your_sourcetype earliest=-5m | stats c AS Total c(eval(status_id="OK")) AS Good c(eval(status_id="ERROR")) AS Bad | eval bad_ratio = Bad/Total

Then set the search to run every 5 minutes, and alert on Custom Condition;

search bad_ratio > 0.25

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-19-2012

Try this;

sourcetype=your_sourcetype earliest=-5m | stats c AS Total c(eval(status_id="OK")) AS Good c(eval(status_id="ERROR")) AS Bad | eval bad_ratio = Bad/Total

Then set the search to run every 5 minutes, and alert on Custom Condition;

search bad_ratio > 0.25

Hope this helps,

Kristian

Alert on changed ratio between 2 different events?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Alert on changed ratio between 2 different events?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR