Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk custom alert?

devdattajogleka
Explorer
‎05-25-2022 12:13 AM

Hello,

I am configuring a custom splunk alert. My search query is as follows

 

| dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory
where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date |where file_count<100 | chart
avg(file_count) as avg_count

 

I want to send an alert when the file_count is less than 0.95*avg_count or greater than 1.5*avg_count
So can I configure a custom alert with condition "search file_count < (0.95*avg_count) OR file_count > (1.5*avg_count)"

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 12:36 AM

Use eventstats rather than chart to get the average in each event and then use a where command to find the events which are outside the bounds

View solution in original post

0 Karma
Reply
Solved! Jump to solution

devdattajogleka
Explorer
‎05-25-2022 02:29 AM

Actually I want to take average of all 'file_count's which are less than 100. Thats why I have applied where condition first.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 05:21 AM

I am not suggesting you remove that where command, I am suggesting you replace the chart with an eventstats and another where command

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 12:36 AM

Use eventstats rather than chart to get the average in each event and then use a where command to find the events which are outside the bounds

0 Karma
Reply
Solved! Jump to solution

devdattajogleka
Explorer
‎05-26-2022 06:40 AM

Yeah got that. Alert is working. Thank you so much.

I want to add one more condition to it. The alert should the include the file_count's of last week only. I used following query for that.

| dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory
where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date | where file_count<100 | eventstats  avg(file_count) as avg_count | where file_count < (avg_count*0.875) or file_count > (avg_count*1.125) | fields file_count,date | where date > relative_time(now(), "-7d@d")

Used "-w" instead of  "-7d@d" Also tried using strftime by specifying date format, using 'earliest' time modifier but the query does not yeild any result whereas it should. Please suggest a solution.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2022 11:05 AM

I suspect date is coming back as a string from dbxquery, therefore you need to parse that into an epoch time so you can compare it with the value returned by relative_time() - try something like this

| where strptime(date,"%m/%d/%y %W") > relative_time(now(), "-7d@d")
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...