Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Alerting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to edit my saved search to send an alert when ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
05:43 AM
Search1: What this does is eval checkout logs from 5 minutes ago to 2 minutes ago,then eval for Peak/OffPeak Tim of Day, and add a Trigger/Don't Trigger condition.
THEN
Search 2: The search is run again to eval checkout logs from 2 minutes ago to now,eval for Peak/OffPeak Tim of Day, and add a Trigger/Don't Trigger condition.
Then I combine them using appendcols and the alert is set where Check1=Trigger AND Check2=Trigger send alert.
What I am trying to do is run this search and eval each minute to compare to the next minute. If any time in the 5 minute span, a Trigger happens twice in a row, then send an alert.
But in testing, I found that this won't work as if minute 5 (oldest) and minute 4 (second oldest) both = Trigger, since they are both under Check1, then it will not trigger.
Maybe this is not the best way to do this...any thoughts?
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application"
earliest=-5min@min latest=-2min@min
| eval HourOfDay=strftime(_time, "%H%M") | eval PeakOrOffPeak=if(((HourOfDay>=900) AND (HourOfDay<=1700)), "Peak", "OffPeak") | bucket _time span=1min | stats count by _time, PeakOrOffPeak
| eval Check1=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger")
| appendcols [search
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application"
earliest=-2min@min latest=now
| eval HourOfDay=strftime(_time, "%H%M") | eval PeakOrOffPeak=if(((HourOfDay>=900) AND (HourOfDay<=1700)), "Peak", "OffPeak") | bucket _time span=1min | stats count by _time, PeakOrOffPeak
| eval Check2=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger")]
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
07:17 AM
Give this a try
Updated
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application" earliest=-5min@min latest=now | bucket _time span=1min | eval HourOfDay=strftime(_time, "%H") | eval PeakOrOffPeak=if(((HourOfDay>=9) AND (HourOfDay<17)), "Peak", "OffPeak") | stats count by _time, PeakOrOffPeak | eval Check=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger") | streamstats current=f window=1 values(Check) as prev | where prev=Check AND Check="Trigger")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
07:17 AM
Give this a try
Updated
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application" earliest=-5min@min latest=now | bucket _time span=1min | eval HourOfDay=strftime(_time, "%H") | eval PeakOrOffPeak=if(((HourOfDay>=9) AND (HourOfDay<17)), "Peak", "OffPeak") | stats count by _time, PeakOrOffPeak | eval Check=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger") | streamstats current=f window=1 values(Check) as prev | where prev=Check AND Check="Trigger")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
07:34 AM
In testing I got this back:
Error in 'streamstats' command: The argument 'value(Check)' is invalid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
07:45 AM
Simple mistake:
index=java host=*byx* api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application" earliest=-5min@min latest=now | bucket _time span=1min | eval HourOfDay=strftime(_time, "%H") | eval PeakOrOffPeak=if(((HourOfDay>=9) AND (HourOfDay<17)), "Peak", "OffPeak") | stats count by _time, PeakOrOffPeak | eval Check=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger")| streamstats current=f window=1 values(Check) as prev | where prev=Check AND Check="Trigger"
changed "value" to "values" and removed closing ")"
Good to go
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
07:46 AM
Haha added the reponse at the same time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
07:43 AM
Grrrrrrrrr typo. use 'values' instead of 'value'. Updated the answer.
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
