Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert when error rate increases x percent from 3 days ago to 2 days ago

kwiki
New Member
‎07-30-2024 05:05 AM

Hi,

I have a group field "bin" and a query that takes index=myindex response_code!=00. I'm not sure how to create an alert to warn when there is an x percentage increase from day to day on any of the bins.

I tried something along these lines, but could not get the prev_error_count to populate:

 

 

 

index=myindex sourcetype=trans response_code!=00
| bin _time span=1d as day
| stats count as error_count by day, bin
| streamstats current=f window=2 last(error_count) as prev_error_count by bin
| eval perc_increase = error_count  / prev_error_count)*100, 2)
| table perc_increase

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-30-2024 07:39 AM

@kwiki- You are on the right track on using streamstats.  But I would just run two searches and compare the results, it would be much easier to write query for. Here it is:

index=myindex sourcetype=trans response_code!=00 earliest=-3d@d latest=-2d@d
| stats count as error_count_3_days_ago
| append [| search index=myindex sourcetype=trans response_code!=00 earliest=-2d@d latest=-1d@d
| stats count as error_count_2_days_ago]
| stats first(*) as *
| eval perc_increase = (error_count_2_days_ago-error_count_3_days_ago)  / error_count_3_days_ago)*100, 2)
| where perc_increase>3
| table perc_increase

( I have not tested the query, but logic is to append data data together and compare)

 

I hope this helps!!!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 07:23 AM

Please confirm the "bin" field is present in the index.  It is not created by the bin command.

If the 'bin' field is null or not present then the stats command will return no results and so the streamstats command will have nothing to evaluate.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...