Alerting

How do I create an alert that triggers based on the percentage of results?

jitin_ratra
New Member

I am trying to get the counts of events in a 60 minute timeframe with a span of every 10 minutes, and if the count is less than 80%, it should be compared to the last span of 10 mins, and then trigger an alert .

Is there a way to do this ?

i have following query so far but need help with the other part of question

index="test" | timechart count span=10m 

I have selected the timerange for 60mins

Tags (1)
0 Karma
1 Solution

bkirk
Path Finder

I think you want to add the following to your SPL:

 | streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)

If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.

Thank you,
Brian

View solution in original post

0 Karma

bkirk
Path Finder

I think you want to add the following to your SPL:

 | streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)

If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.

Thank you,
Brian

0 Karma

jitin_ratra
New Member

Awesome thanks @bkrik. That helped alot

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...