Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert triggers even tho it should not

nicxso
Engager
‎03-21-2019 11:21 AM

Hi,

I created an alert, which counts the total events per sourcetype and compares it with the total events from last week. The alert should trigger when the total events of today has doubled or more than last week. I don't know why it's wrong. Also is there a way to optimize this search. It takes around 1 to 2 mins to execute this search

index=caas_oracle_virtual_directory_* sourcetype="oracle_virtual_directory:*" earliest=-7d@d latest=-7d 
| stats count as event_last_week by index, sourcetype 
| join type=left sourcetype
    [ 
    | search index=caas_oracle_virtual_directory_* sourcetype="oracle_virtual_directory:*" earliest=@d latest=now 
    | stats count as event_today by index, sourcetype 
    | fields sourcetype, event_today] 
| eval time_now = strftime(now(), "%d.%m.%y %H:%M:%S") 
| eval double = (event_last_week*2) 
| where double > event_today 
| table time_now, index, sourcetype, event_last_week, event_today, double 
| rename time_now as "Time", index as "Index" sourcetype as "Source Type", event_last_week as "Total Events Last Week", event_today as "Event Today", double as "Threshold"

And here the output of the alarm:
alt text

Thanks for your help!

Preview file
1 KB
0 Karma
Reply

adonio
Ultra Champion
‎03-21-2019 12:57 PM

hello there,

hope i understand the question
try this out:

| tstats count as event_count where earliest=-7d@d latest=now index=caas_oracle_virtual_directory_* sourcetype="oracle_virtual_directory:*" by index sourcetype _time span=1d
| bucket _time span=1d 
| stats last(_time) AS last_time sum(event_count) AS per_day_count by _time, sourcetype 
| eval last_week = if(last_time > exact(relative_time(now(),"-8d@d")) AND last_time <= exact(relative_time(now(),"-7d@d")) , per_day_count ,"0") 
| eval today = if(last_time > exact(relative_time(now(),"-1d@d")) AND last_time <= exact(relative_time(now(),"-0d@d")) , per_day_count ,"0") 
| stats sum(today) AS today sum(last_week) AS last_week by sourcetype
| eval double_last_week = last_week * 2
| eval alert = if(today > double_last_week,1,0)

hope it helps

0 Karma
Reply

nicxso
Engager
‎03-21-2019 01:16 PM

@adnonio

I'll give this a try tomorrow. I also created a similar alert to the first one but that alert only triggers when the total events from today has halved or more compared to last week. So if I would change this part to this.

| eval half_last_week = last_week / 2 
 | eval alert = if(today < half_last_week,1,0)

Would this work and will the output be the same as the one I had ?

0 Karma
Reply

adonio
Ultra Champion
‎03-21-2019 01:32 PM

supposed to

0 Karma
Reply

nicxso
Engager
‎03-22-2019 03:07 AM

Cause for example in need to count all the data from today eg. 03/22/2019 12:00:00 AM until now (11:06:00)
and compare last week ago wich would be 03/15/2019 12:00:00 AM until the now (11:06:00). Thats how i would like to compare it and the output should also include the index

Thanks

0 Karma
Reply

adonio
Ultra Champion
‎03-22-2019 05:39 AM

you can modify the earliest and latest to match your needs =

0 Karma
Reply

nicxso
Engager
‎03-22-2019 03:04 AM

Just asking, does the search compare the data from the current time now compared to the current time last week ago ?
Or else it works

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...