I am new to Splunk so pardon me if my question is too naive. I want to set up a Splunk alert if the average of a field is above a threshold. My search is as follows:
sourcetype="somesourcetype" search phase | stats avg(f1) as Average
If I use
sourcetype="somesourcetype" search phase | timechart avg(f1) as Average span=1h
I can see the table listing the average of field f1. But with stats avg(f1)
I do not get anything under statistics panel and I am not sure how to set up an alert if average of f1 is above 100ms.
assuming your field f1 contains a numeric value in ms you should be able to do the following search:
sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100
And then set your alert to trigger when the Number of Results is > 0
If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:
sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100
Please use trim command to remove the ms in the field values.
sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average
& and do this for Alert
sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average | where Average > 100
Thanks
Thanks, this is what I needed!
But since kmaron's answer was yesterday and it indeed inspired me, I picked it as the answer.
assuming your field f1 contains a numeric value in ms you should be able to do the following search:
sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100
And then set your alert to trigger when the Number of Results is > 0
If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:
sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100
Thanks. I think the problem now is that this field contains the numeric value and "ms". So it looks like in one event I have f1=50ms, and in another I have f1=120ms. How would I modify the query to remove this "ms" when calculating average?
You'd do like this
sourcetype="somesourcetype" search phase | eval f1=replace(f1,"ms","") | stats avg(f1) as Average | where Average > 100