Alert radius accountig request per second

fazimov · ‎03-13-2021

Hi all

I need help to configure alert for radius accounting request per second. To find requests per second we did this formula:

sourcetype="cisco:bulkstats:up:systemSch10" host=dyu-sae-1-1
| stats sum(aaa_ttlradacctreq) as req sum(aaa_ttlradacctreqretried) as retr by _time
| delta req as rq
| delta retr as rt
| timechart span=5m per_second(rq) as "requests per second" per_second(rt) as "retries per second"

per_second(rq) shows approximately 400 request/s

So I want to configure alert if this goes to 600 request/s

Any help appreciated

Many thanks

tscroggins · ‎03-13-2021

@fazimov

Splunk provides a manual dedicated to alerting: Alerting Manual.

From Create scheduled alerts:

Navigate to the Search page in the Search and Reporting app.
Create a search.
Select Save As>Alert.

From Configure alert trigger conditions:

Use a search with custom trigger condition

The alert uses this search, with Last 7 days selected in the time range picker.

index=_internal (log_level=ERROR OR log_level=FATAL OR log_level=CRITICAL) | stats count by log_level

The following custom triggering condition is added.

search count > 10

In this scenario, the original search results detail the count for all log levels, but the alert triggers only when the log_level counts are greater than ten. This means that all log_level counts are available to use as part of an alert notification.

In your custom trigger condition, enter e.g.:

search "requests per second" >= 600

You can also add a where or search command to the base alert search and trigger the alert when Number of Results is greater than: 0.

Alert radius accountig request per second

alert action

alert condition

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!