Alerting

How to create an Alert based off basis of threshold?

uagraw01
Builder

Hello Splunkers,

As per the below details i need to create an alert on the basis of threshold value. But in this case every offeringID has different rate. So how can i calculate the threshold for each offeringID and how can I map this under an alert as a generic thershold value. Please suggest some ideas on this. 

As well as if any one aware about in dat -incache-memory in Splunk.

 

IMG_20220505_121554__01.jpg

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Store the threshold for each Offering_id in a csv store and do a lookup against the Offering_id in the event and compare the event rate with the stored rate.

0 Karma

uagraw01
Builder

@ITWhisperer But how can define the threshold for each offeringID here?. Every offeringID must have different threshold. 

Threshold value should be dynamic for each value. So I am unable to understand how can i apply this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean by rate? How do you calculate this? Where does the threshold come from?

0 Karma

uagraw01
Builder

@ITWhisperer I have attached one screenshot. Please check this at once for the rate calculation. 

We are taking the sum of all the highrisk event and then divided it by total number of events.

 

Screenshot_20220505-140150.jpg

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, your threshold is just your rate rounded to 2 decimal places?

Do you recalculate highRisk in the stats along with total by Offering_id?

What do you want to alert on?

A clearer definition of what you are trying to achieve would help.

0 Karma

uagraw01
Builder

@ITWhisperer 

So, your threshold is just your rate rounded to 2 decimal places? ----Yes that is the threshold

Do you recalculate highRisk in the stats along with total by Offering_id? ----Yes, I have calculated from offereingID

What do you want to alert on? ---I want an alert triggred for top 10 offering id on the basis of threshold.

A clearer definition of what you are trying to achieve would help.

 

I am confused on over what will be generic threshold i would be set.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK I am unclear about what you are alerting - alerts are usually when something out of the ordinary is detected. Your search seems to be just looking for the top 10 thresholds (as you have calculated them).

How often does this search run?

Do you want an "alert" every time it runs?

If not, under what circumstances do you want an alert raised?

0 Karma

uagraw01
Builder

@ITWhisperer 

 

I have attached the screenshot of my requirement. I hope the screenshot is clear to you.

IMG_20220504_211507__01__01.jpg

0 Karma

uagraw01
Builder

@ITWhisperer 

Please use the the latest screenshot .

IMG_20220504_211507__02.jpg

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so you need to set up a csv store with the various thresholds for each Offering_id

You can then use the lookup command in your search to retrieve the corresponding threshold for each Offering_id returned by your stats.

You could then compare your calculated rate against the stored threshold and calculate the variance. Is difference sufficient or do you need to take standard deviations from a mean for example?

You might then sort the variance in descending order to get the top 10 rates higher than their threshold.

Having said that, I am not sure how close this approach is to your requirement because your requirement seems unclear to me (and I suspect to you too!).

Why only store the top 10 in the kv store? What happens when a different Offering_id enters the top 10 (and there is no threshold stored for it)? The criteria for the alert is not clear enough - how often does your alert have to run? how many Offering_ids need to breach their threshold for the alert to be triggered?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...