I am trying to create an alert to monitor counts on a per hour basis. I would like to set up a dynamic threshold based on the previous day's maximum value + 20% of the max value. Is there a way we can do this in splunk?
Try this:
MySearchStr earliest=-1d@d latest=0d@d | stats max(MyField) AS yesterdayMax | map search="MySearchStr | where MyField>$yesterdayMax$"
If i run this will I get a value fof zero or 1 in the visualisation tab? Is $yesterdayMax$ a variable from the 1st part of the search?
$yesterdayMax$
I tried to runt it a couple of times, different ways and I was getting no results found
no results found
You want to check the count every hour and compare the count for current hour with 1.2 times max count per hour from yesterday?
