Solved: How do I create an alert that triggers based on th...

jitin_ratra · ‎11-14-2018

I am trying to get the counts of events in a 60 minute timeframe with a span of every 10 minutes, and if the count is less than 80%, it should be compared to the last span of 10 mins, and then trigger an alert .

Is there a way to do this ?

i have following query so far but need help with the other part of question

index="test" | timechart count span=10m

I have selected the timerange for 60mins

bkirk · ‎11-14-2018

I think you want to add the following to your SPL:

 | streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)

If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.

Thank you,
Brian

View solution in original post

bkirk · ‎11-14-2018

I think you want to add the following to your SPL:

 | streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)

If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.

Thank you,
Brian

jitin_ratra · ‎11-14-2018

Awesome thanks @bkrik. That helped alot

How do I create an alert that triggers based on the percentage of results?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services