Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk custom alert?

devdattajogleka
Explorer
‎05-25-2022 12:13 AM

Hello,

I am configuring a custom splunk alert. My search query is as follows

 

| dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory
where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date |where file_count<100 | chart
avg(file_count) as avg_count

 

I want to send an alert when the file_count is less than 0.95*avg_count or greater than 1.5*avg_count
So can I configure a custom alert with condition "search file_count < (0.95*avg_count) OR file_count > (1.5*avg_count)"

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 12:36 AM

Use eventstats rather than chart to get the average in each event and then use a where command to find the events which are outside the bounds

View solution in original post

0 Karma
Reply
Solved! Jump to solution

devdattajogleka
Explorer
‎05-25-2022 02:29 AM

Actually I want to take average of all 'file_count's which are less than 100. Thats why I have applied where condition first.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 05:21 AM

I am not suggesting you remove that where command, I am suggesting you replace the chart with an eventstats and another where command

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 12:36 AM

Use eventstats rather than chart to get the average in each event and then use a where command to find the events which are outside the bounds

0 Karma
Reply
Solved! Jump to solution

devdattajogleka
Explorer
‎05-26-2022 06:40 AM

Yeah got that. Alert is working. Thank you so much.

I want to add one more condition to it. The alert should the include the file_count's of last week only. I used following query for that.

| dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory
where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date | where file_count<100 | eventstats  avg(file_count) as avg_count | where file_count < (avg_count*0.875) or file_count > (avg_count*1.125) | fields file_count,date | where date > relative_time(now(), "-7d@d")

Used "-w" instead of  "-7d@d" Also tried using strftime by specifying date format, using 'earliest' time modifier but the query does not yeild any result whereas it should. Please suggest a solution.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2022 11:05 AM

I suspect date is coming back as a string from dbxquery, therefore you need to parse that into an epoch time so you can compare it with the value returned by relative_time() - try something like this

| where strptime(date,"%m/%d/%y %W") > relative_time(now(), "-7d@d")
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...