Alerting

How do I create an alert that triggers based on the percentage of results?

jitin_ratra
New Member

I am trying to get the counts of events in a 60 minute timeframe with a span of every 10 minutes, and if the count is less than 80%, it should be compared to the last span of 10 mins, and then trigger an alert .

Is there a way to do this ?

i have following query so far but need help with the other part of question

index="test" | timechart count span=10m 

I have selected the timerange for 60mins

Tags (1)
0 Karma
1 Solution

bkirk
Path Finder

I think you want to add the following to your SPL:

 | streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)

If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.

Thank you,
Brian

View solution in original post

0 Karma

bkirk
Path Finder

I think you want to add the following to your SPL:

 | streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)

If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.

Thank you,
Brian

0 Karma

jitin_ratra
New Member

Awesome thanks @bkrik. That helped alot

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...