Alerting

How to set up Splunk alert based on average of a field?

fhcat9
New Member

I am new to Splunk so pardon me if my question is too naive. I want to set up a Splunk alert if the average of a field is above a threshold. My search is as follows:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average

If I use

sourcetype="somesourcetype" search phase | timechart avg(f1) as Average span=1h

I can see the table listing the average of field f1. But with stats avg(f1) I do not get anything under statistics panel and I am not sure how to set up an alert if average of f1 is above 100ms.

0 Karma
1 Solution

kmaron
Motivator

assuming your field f1 contains a numeric value in ms you should be able to do the following search:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100

And then set your alert to trigger when the Number of Results is > 0

If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:

sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100

View solution in original post

0 Karma

PowerPacked
Builder

Please use trim command to remove the ms in the field values.

sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average

& and do this for Alert

sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average | where Average > 100

Thanks

0 Karma

fhcat9
New Member

Thanks, this is what I needed!
But since kmaron's answer was yesterday and it indeed inspired me, I picked it as the answer.

0 Karma

kmaron
Motivator

assuming your field f1 contains a numeric value in ms you should be able to do the following search:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100

And then set your alert to trigger when the Number of Results is > 0

If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:

sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100
0 Karma

fhcat9
New Member

Thanks. I think the problem now is that this field contains the numeric value and "ms". So it looks like in one event I have f1=50ms, and in another I have f1=120ms. How would I modify the query to remove this "ms" when calculating average?

0 Karma

somesoni2
Revered Legend

You'd do like this

sourcetype="somesourcetype" search phase | eval f1=replace(f1,"ms","")  | stats avg(f1) as Average | where Average > 100
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...