Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: How to set up Splunk alert based on average of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am new to Splunk so pardon me if my question is too naive. I want to set up a Splunk alert if the average of a field is above a threshold. My search is as follows:
sourcetype="somesourcetype" search phase | stats avg(f1) as Average
If I use
sourcetype="somesourcetype" search phase | timechart avg(f1) as Average span=1h
I can see the table listing the average of field f1. But with stats avg(f1) I do not get anything under statistics panel and I am not sure how to set up an alert if average of f1 is above 100ms.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assuming your field f1 contains a numeric value in ms you should be able to do the following search:
sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100
And then set your alert to trigger when the Number of Results is > 0
If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:
sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please use trim command to remove the ms in the field values.
sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average
& and do this for Alert
sourcetype="somesourcetype" search phase | eval Newf1=trim(f1,"ms") | stats avg(Newf1) as Average | where Average > 100
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this is what I needed!
But since kmaron's answer was yesterday and it indeed inspired me, I picked it as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assuming your field f1 contains a numeric value in ms you should be able to do the following search:
sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100
And then set your alert to trigger when the Number of Results is > 0
If you specifically want an hourly average like the timechart without actually using the timechart command you can use this search instead:
sourcetype="somesourcetype" search phase | bucket _time span=1h | stats avg(f1) as Average by _time | where Average > 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I think the problem now is that this field contains the numeric value and "ms". So it looks like in one event I have f1=50ms, and in another I have f1=120ms. How would I modify the query to remove this "ms" when calculating average?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'd do like this
sourcetype="somesourcetype" search phase | eval f1=replace(f1,"ms","") | stats avg(f1) as Average | where Average > 100
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
