Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert "where" condition for only results of the past 1 hour

Steve_A200
Path Finder
‎03-15-2022 12:39 PM

I have a search in which I segregated the result into 1 hour spans using:

 

| bin _time span=1h

 

 

I use predict command to compare the results from the search to the predicted values with actual data captured.


I would like to have splunk check the results hourly, and alert me if the Actual_Percent < Predicted_Percent

I would like to only evaluated results that are part of specific hours of the day, so I added:

 

 

 

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| where Actual_Percent < Predicted_Percent

 

 

 

Now, I have 3 columns of data:

_time Actual_Percent Predicted_Percent

8:00

9:00

10:00

11:00

60

75

85

90

58

80

80

95

  

I need to get an alert based on individual time slots as the job is executed, so if the alert triggered for any value of Actual_Percent < Predicted_Percent (in this case 9:00, and 11:00), but I don't want to get new alerts subsequent to the original alert for that time slot.


If I setup the alert to send email on any results greater than 0, then it will send email as soon as the first time it sees result set matching the criteria (i.e.9:00), and will continue throughout the rest of the day.

However, I want only 1 alert per time slot if the condition Actual_Percent < Predicted_Percent.

Is there a way to restrict the "where" statement to only look at data for that past 1 hour time slot?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2022 02:54 PM

Would this work for you?

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| reverse
| head 1
| where Actual_Percent < Predicted_Percent

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2022 02:54 PM

Would this work for you?

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| reverse
| head 1
| where Actual_Percent < Predicted_Percent
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎03-15-2022 03:01 PM

Yes, thank you.

adding the lines below fixed it:

|   reverse
|   head 1 

 

Thanks again.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2022 01:19 PM

Why are you running a search over 15 hours if you only care about 1 hour?  I suggest running the alert hourly over the previous hour's data and triggering if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎03-15-2022 02:22 PM

I only care about the past hour results in the alert, but the Predicted_Percent values are generated from the past 7 day algorithm. I am only interested in comparing Percentage values during certain hours of the day.

I am just not sure how to isolate the past 1 hour results for the alert to examine.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...