Alerting

How to create an alert "where" condition for only results of the past 1 hour

Steve_A200
Path Finder

I have a search in which I segregated the result into 1 hour spans using:

 

| bin _time span=1h

 

 

I use predict command to compare the results from the search to the predicted values with actual data captured.


I would like to have splunk check the results hourly, and alert me if the Actual_Percent < Predicted_Percent

I would like to only evaluated results that are part of specific hours of the day, so I added:

 

 

 

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| where Actual_Percent < Predicted_Percent

 

 

 

Now, I have 3 columns of data:

_time Actual_Percent Predicted_Percent

8:00

9:00

10:00

11:00

60

75

85

90

58

80

80

95

  

I need to get an alert based on individual time slots as the job is executed, so if the alert triggered for any value of Actual_Percent < Predicted_Percent (in this case 9:00, and 11:00), but I don't want to get new alerts subsequent to the original alert for that time slot.


If I setup the alert to send email on any results greater than 0, then it will send email as soon as the first time it sees result set matching the criteria (i.e.9:00), and will continue throughout the rest of the day.

However, I want only 1 alert per time slot if the condition Actual_Percent < Predicted_Percent.

Is there a way to restrict the "where" statement to only look at data for that past 1 hour time slot?

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Would this work for you?

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| reverse
| head 1
| where Actual_Percent < Predicted_Percent

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Would this work for you?

| eval date_hour=strftime(_time, "%H")
| search date_hour>=8 date_hour<=23
| reverse
| head 1
| where Actual_Percent < Predicted_Percent

Steve_A200
Path Finder

Yes, thank you.

adding the lines below fixed it:

|   reverse
|   head 1 

 

Thanks again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why are you running a search over 15 hours if you only care about 1 hour?  I suggest running the alert hourly over the previous hour's data and triggering if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Steve_A200
Path Finder

I only care about the past hour results in the alert, but the Predicted_Percent values are generated from the past 7 day algorithm. I am only interested in comparing Percentage values during certain hours of the day.

I am just not sure how to isolate the past 1 hour results for the alert to examine.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...