Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert "where" condition for only results of the past 1 hour

Steve_A200
Path Finder
‎03-15-2022 12:39 PM

I have a search in which I segregated the result into 1 hour spans using:

 

| bin _time span=1h

 

 

I use predict command to compare the results from the search to the predicted values with actual data captured.


I would like to have splunk check the results hourly, and alert me if the Actual_Percent < Predicted_Percent

I would like to only evaluated results that are part of specific hours of the day, so I added:

 

 

 

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| where Actual_Percent < Predicted_Percent

 

 

 

Now, I have 3 columns of data:

_time Actual_Percent Predicted_Percent

8:00

9:00

10:00

11:00

60

75

85

90

58

80

80

95

  

I need to get an alert based on individual time slots as the job is executed, so if the alert triggered for any value of Actual_Percent < Predicted_Percent (in this case 9:00, and 11:00), but I don't want to get new alerts subsequent to the original alert for that time slot.


If I setup the alert to send email on any results greater than 0, then it will send email as soon as the first time it sees result set matching the criteria (i.e.9:00), and will continue throughout the rest of the day.

However, I want only 1 alert per time slot if the condition Actual_Percent < Predicted_Percent.

Is there a way to restrict the "where" statement to only look at data for that past 1 hour time slot?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2022 02:54 PM

Would this work for you?

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| reverse
| head 1
| where Actual_Percent < Predicted_Percent

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2022 02:54 PM

Would this work for you?

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| reverse
| head 1
| where Actual_Percent < Predicted_Percent
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎03-15-2022 03:01 PM

Yes, thank you.

adding the lines below fixed it:

|   reverse
|   head 1 

 

Thanks again.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2022 01:19 PM

Why are you running a search over 15 hours if you only care about 1 hour?  I suggest running the alert hourly over the previous hour's data and triggering if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎03-15-2022 02:22 PM

I only care about the past hour results in the alert, but the Predicted_Percent values are generated from the past 7 day algorithm. I am only interested in comparing Percentage values during certain hours of the day.

I am just not sure how to isolate the past 1 hour results for the alert to examine.

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...