Hi all
I need help to configure alert for radius accounting request per second. To find requests per second we did this formula:
sourcetype="cisco:bulkstats:up:systemSch10" host=dyu-sae-1-1
| stats sum(aaa_ttlradacctreq) as req sum(aaa_ttlradacctreqretried) as retr by _time
| delta req as rq
| delta retr as rt
| timechart span=5m per_second(rq) as "requests per second" per_second(rt) as "retries per second"
per_second(rq) shows approximately 400 request/s
So I want to configure alert if this goes to 600 request/s
Any help appreciated
Many thanks
Splunk provides a manual dedicated to alerting: Alerting Manual.
From Create scheduled alerts:
From Configure alert trigger conditions:
Use a search with custom trigger condition
The alert uses this search, with Last 7 days selected in the time range picker.
index=_internal (log_level=ERROR OR log_level=FATAL OR log_level=CRITICAL) | stats count by log_level
The following custom triggering condition is added.
search count > 10
In this scenario, the original search results detail the count for all log levels, but the alert triggers only when the log_level counts are greater than ten. This means that all log_level counts are available to use as part of an alert notification.
In your custom trigger condition, enter e.g.:
search "requests per second" >= 600
You can also add a where or search command to the base alert search and trigger the alert when Number of Results is greater than: 0.