Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert when error rate increases x percent from 3 days ago to 2 days ago

kwiki
New Member
‎07-30-2024 05:05 AM

Hi,

I have a group field "bin" and a query that takes index=myindex response_code!=00. I'm not sure how to create an alert to warn when there is an x percentage increase from day to day on any of the bins.

I tried something along these lines, but could not get the prev_error_count to populate:

 

 

 

index=myindex sourcetype=trans response_code!=00
| bin _time span=1d as day
| stats count as error_count by day, bin
| streamstats current=f window=2 last(error_count) as prev_error_count by bin
| eval perc_increase = error_count  / prev_error_count)*100, 2)
| table perc_increase

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-30-2024 07:39 AM

@kwiki- You are on the right track on using streamstats.  But I would just run two searches and compare the results, it would be much easier to write query for. Here it is:

index=myindex sourcetype=trans response_code!=00 earliest=-3d@d latest=-2d@d
| stats count as error_count_3_days_ago
| append [| search index=myindex sourcetype=trans response_code!=00 earliest=-2d@d latest=-1d@d
| stats count as error_count_2_days_ago]
| stats first(*) as *
| eval perc_increase = (error_count_2_days_ago-error_count_3_days_ago)  / error_count_3_days_ago)*100, 2)
| where perc_increase>3
| table perc_increase

( I have not tested the query, but logic is to append data data together and compare)

 

I hope this helps!!!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 07:23 AM

Please confirm the "bin" field is present in the index.  It is not created by the bin command.

If the 'bin' field is null or not present then the stats command will return no results and so the streamstats command will have nothing to evaluate.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...