Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Alerting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to edit my saved search to send an alert w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
05:43 AM
Search1: What this does is eval checkout logs from 5 minutes ago to 2 minutes ago,then eval for Peak/OffPeak Tim of Day, and add a Trigger/Don't Trigger condition.
THEN
Search 2: The search is run again to eval checkout logs from 2 minutes ago to now,eval for Peak/OffPeak Tim of Day, and add a Trigger/Don't Trigger condition.
Then I combine them using appendcols and the alert is set where Check1=Trigger AND Check2=Trigger send alert.
What I am trying to do is run this search and eval each minute to compare to the next minute. If any time in the 5 minute span, a Trigger happens twice in a row, then send an alert.
But in testing, I found that this won't work as if minute 5 (oldest) and minute 4 (second oldest) both = Trigger, since they are both under Check1, then it will not trigger.
Maybe this is not the best way to do this...any thoughts?
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application"
earliest=-5min@min latest=-2min@min
| eval HourOfDay=strftime(_time, "%H%M") | eval PeakOrOffPeak=if(((HourOfDay>=900) AND (HourOfDay<=1700)), "Peak", "OffPeak") | bucket _time span=1min | stats count by _time, PeakOrOffPeak
| eval Check1=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger")
| appendcols [search
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application"
earliest=-2min@min latest=now
| eval HourOfDay=strftime(_time, "%H%M") | eval PeakOrOffPeak=if(((HourOfDay>=900) AND (HourOfDay<=1700)), "Peak", "OffPeak") | bucket _time span=1min | stats count by _time, PeakOrOffPeak
| eval Check2=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger")]
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
07:17 AM
Give this a try
Updated
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application" earliest=-5min@min latest=now | bucket _time span=1min | eval HourOfDay=strftime(_time, "%H") | eval PeakOrOffPeak=if(((HourOfDay>=9) AND (HourOfDay<17)), "Peak", "OffPeak") | stats count by _time, PeakOrOffPeak | eval Check=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger") | streamstats current=f window=1 values(Check) as prev | where prev=Check AND Check="Trigger")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
07:17 AM
Give this a try
Updated
index=java host=byx api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application" earliest=-5min@min latest=now | bucket _time span=1min | eval HourOfDay=strftime(_time, "%H") | eval PeakOrOffPeak=if(((HourOfDay>=9) AND (HourOfDay<17)), "Peak", "OffPeak") | stats count by _time, PeakOrOffPeak | eval Check=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger") | streamstats current=f window=1 values(Check) as prev | where prev=Check AND Check="Trigger")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
07:34 AM
In testing I got this back:
Error in 'streamstats' command: The argument 'value(Check)' is invalid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
07:45 AM
Simple mistake:
index=java host=*byx* api_domain=purchase api_method=checkoutShoppingCart status=SUCCESS subscriber=xxx@gmail.com "app_name=Gen31Application" earliest=-5min@min latest=now | bucket _time span=1min | eval HourOfDay=strftime(_time, "%H") | eval PeakOrOffPeak=if(((HourOfDay>=9) AND (HourOfDay<17)), "Peak", "OffPeak") | stats count by _time, PeakOrOffPeak | eval Check=if(PeakOrOffPeak = "OffPeak" AND count < 1, "Trigger", "Dont Trigger")| streamstats current=f window=1 values(Check) as prev | where prev=Check AND Check="Trigger"
changed "value" to "values" and removed closing ")"
Good to go
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tkwaller
Builder
04-05-2016
07:46 AM
Haha added the reponse at the same time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-05-2016
07:43 AM
Grrrrrrrrr typo. use 'values' instead of 'value'. Updated the answer.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
