Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Base line alerts in splunk

smaran06
Path Finder
‎12-11-2017 03:14 PM

Hi Team,

I have a requirement in splunk, where if instance count went down it should alert. For example if I have 10 instances running in a application and in which 4 went down, then splunk should be able to compare previous results and present results and trigger the alert as its less than 10.

Basically, I want base line alerts, where it should compare previous values to current and if its not same it should, Please let me know how this can be done.

Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎12-11-2017 03:43 PM

There are a couple of different strategies.

First, you can create a search that determines the counts at the two different points in time, and compares the two numbers.

Second, you can create a periodic search that calculates the counts at the current moment and writes that number to a summary index. Then, you compare the last record on the smmary index to the prior record, and alert if the number drops.

Reply

HattrickNZ
Motivator
‎05-21-2018 03:01 PM

so 1/ and 2/ are the same except 2/ uses a summary index as its baseline, whereas 1 just uses a search with the time controlled by earliest = and latest=?

Reply

DalJeanis
Legend
‎05-21-2018 07:47 PM

@HattrickNZ - Yep, you can use a single search that checks for two points in the past, or you can create a summary index or lookup table and use that. There are other ways, but those are pretty straightforward.

0 Karma
Reply

HattrickNZ
Motivator
‎05-21-2018 09:03 PM

tks, what are the other ways? I'd like to know for something i am working on at the minute. Because them 2 options you mention are pretty limited to what can be put in the search e.g. averages, maxes or mins of certain periods. Maybe I am looking for some more advanced type stats analysis/baselining..

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...