Alerting

How to set up Splunk alert based on average of a field?

fhcat9
New Member

I am new to Splunk so pardon me if my question is too naive. I want to set up a Splunk alert if the average of a field is above a threshold. My search is as follows:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average

If I use

sourcetype="somesourcetype" search phase | timechart avg(f1) as Average span=1h

I can see the table listing the average of field f1. But with stats avg(f1) I do not get anything under statistics panel and I am not sure how to set up an alert if average of f1 is above 100ms.

0 Karma
1 Solution

kmaron
Motivator

assuming your field f1 contains a numeric value in ms you should be able to do the following search:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100

And then set your alert to trigger when the Number of Results is > 0

If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:

sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100

View solution in original post

0 Karma

PowerPacked
Builder

Please use trim command to remove the ms in the field values.

sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average

& and do this for Alert

sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average | where Average > 100

Thanks

0 Karma

fhcat9
New Member

Thanks, this is what I needed!
But since kmaron's answer was yesterday and it indeed inspired me, I picked it as the answer.

0 Karma

kmaron
Motivator

assuming your field f1 contains a numeric value in ms you should be able to do the following search:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100

And then set your alert to trigger when the Number of Results is > 0

If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:

sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100
0 Karma

fhcat9
New Member

Thanks. I think the problem now is that this field contains the numeric value and "ms". So it looks like in one event I have f1=50ms, and in another I have f1=120ms. How would I modify the query to remove this "ms" when calculating average?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You'd do like this

sourcetype="somesourcetype" search phase | eval f1=replace(f1,"ms","")  | stats avg(f1) as Average | where Average > 100
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...