How to alert on comparison of two fields in a sing...

jaewankim · ‎02-01-2017

I am trying to monitor a log and alert when a certain value spikes higher than usual.
trendline seems to be useful here.

Something like

|stats count, avg(concurrent_user) as user_count by date_minute, date_second |trendline sma10(user_count) as user_count_moving_average

can provide both single value in user_count and a moving average.

How can I set up an alert that can compare the two values, so that if the single value is much greater than the moving average?
I can calculate moving average of different periods and make the comparison as well. I get the search right, but the custom condition on alert setup is baffling me.

vasanthmss · ‎02-01-2017

use the where class to find your matching records, something like this,

|stats count, avg(concurrent_user) as user_count by date_minute, date_second |trendline sma10(user_count) as user_count_moving_average | where user_count_moving_average <=count

in the saved search schedule it when more than one events presents.

Hope this will helps you.

V

adrien_dereumau · ‎12-13-2019

I know it's been a long time since you answered, but your answer helped me at least, well done!

How to alert on comparison of two fields in a single search?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...