Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Alerting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: How to set up an alert to trigger when the sea...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:30 AM
I want Splunk to notify me when the result increase is more than 20% for the week. For example:
When C2 is more than 20% greater than C1 and C1 20% greater than C0.
Can alert me, changing color, can be anyway.
Thank you!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
09:49 AM
If you want to be alerted on the chart itself, try this
your current search | delta YourField as delta | eval var=delta/YourField *100 | eval var=if(var>=20, var, 0) | fields - delta
You can then add the var field as an overlay with View as Axis = On
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
09:49 AM
If you want to be alerted on the chart itself, try this
your current search | delta YourField as delta | eval var=delta/YourField *100 | eval var=if(var>=20, var, 0) | fields - delta
You can then add the var field as an overlay with View as Axis = On
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:53 AM
returned: Error in 'delta' command: Invalid argument: 'delta'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:56 AM
search:
index=ricoh | table pkNmArq, "Total K Ink Usage _cc",Jobname, date_month , PaginasA4Ricoh, "Total C Ink Usage _cc","Total Y Ink Usage _cc","Total M Ink Usage _cc", custoRicohMlColor, custoRicohMlBlack, _time |
join type=inner max=0 pkNmArq [search index=cmp date_year>=2015 idEtapa=3 CentroImpressao="Alphaville" Maquina="*IP5000_1*" OR Maquina="*IP5000_2*" ClienteAplicacao="TELECOMUNICAÇÕES DE SÃO PAULO S/A (TELESP) - FATURA AUTOENVELOPADA A3 - AT*" |
table pkNmArq, FormatoPapel, ClienteERP, TipoProduto, ClienteAplicacao,PaginasA4CMP, _time] |
eval chaveRicoh = _time+";"+Jobname+";"+PaginasA4Ricoh |
dedup chaveRicoh |
search PaginasA4Ricoh>=1000 |
eval CustoTotal= (('Total K Ink Usage _cc'*custoRicohMlBlack) +
('Total C Ink Usage _cc'*custoRicohMlColor) +
('Total Y Ink Usage _cc'*custoRicohMlColor) +
('Total M Ink Usage _cc'*custoRicohMlColor)) |
fillnull value=0 |
eval CustoMilheiro=((CustoTotal/PaginasA4Ricoh)*1000) |
eval Tipo= if( TipoProduto="AUTOENVELOPADO","AUTOENVELOPADO","INSERIDO") |
eval Produto = ClienteAplicacao."-".Tipo |
timechart span=1week avg(CustoMilheiro) by Produto |
streamstats values(CustoMilheiro) as prev | eval prev=coalesce(prev,CustoMilheiro) | where CustoMilheiro>(1.2*prev)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
10:32 AM
Well, you have a by clause 🙂 Try this
index=ricoh | table pkNmArq, "Total K Ink Usage _cc",Jobname, date_month , PaginasA4Ricoh, "Total C Ink Usage _cc","Total Y Ink Usage _cc","Total M Ink Usage _cc", custoRicohMlColor, custoRicohMlBlack, _time |
join type=inner max=0 pkNmArq [search index=cmp date_year>=2015 idEtapa=3 CentroImpressao="Alphaville" Maquina="IP5000_1" OR Maquina="IP5000_2" ClienteAplicacao="TELECOMUNICAÇÕES DE SÃO PAULO S/A (TELESP) - FATURA AUTOENVELOPADA A3 - AT*" |
table pkNmArq, FormatoPapel, ClienteERP, TipoProduto, ClienteAplicacao,PaginasA4CMP, _time] |
eval chaveRicoh = _time+";"+Jobname+";"+PaginasA4Ricoh |
dedup chaveRicoh |
search PaginasA4Ricoh>=1000 |
eval CustoTotal= (('Total K Ink Usage _cc'*custoRicohMlBlack) +
('Total C Ink Usage _cc'*custoRicohMlColor) +
('Total Y Ink Usage _cc'*custoRicohMlColor) +
('Total M Ink Usage _cc'*custoRicohMlColor)) |
fillnull value=0 |
eval CustoMilheiro=((CustoTotal/PaginasA4Ricoh)*1000) |
eval Tipo= if( TipoProduto="AUTOENVELOPADO","AUTOENVELOPADO","INSERIDO") |
eval Produto = ClienteAplicacao."-".Tipo |
| bin span=1week as time
| stats avg(CustoMilheiro) as average by time Produto
| streamstats range(average) as delta by Produto
| eval var=delta/average*100
| eval var=if(var>=20, var, 0)
| chart values(average) as average values(var) as var over time by sourcetype | rename count:* as *-count var:* as *-var
| eval time=strftime(time, "%m/%d/%y")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
10:33 AM
Overlay all the var fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
10:43 AM
Got it,
But...
Returned: Error in 'bin' command: Invalid argument: 'time'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-07-2016
09:39 AM
Try like this
your current search producing above timechart | streamstats values(PutYourFieldName) as prev | eval prev=coalesce(prev,PutYourFieldName) | where PutYourFieldName>(1.2*prev)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:56 AM
returned: No results found.
search:
index=ricoh | table pkNmArq, "Total K Ink Usage _cc",Jobname, date_month , PaginasA4Ricoh, "Total C Ink Usage _cc","Total Y Ink Usage _cc","Total M Ink Usage _cc", custoRicohMlColor, custoRicohMlBlack, _time |
join type=inner max=0 pkNmArq [search index=cmp date_year>=2015 idEtapa=3 CentroImpressao="Alphaville" Maquina="*IP5000_1*" OR Maquina="*IP5000_2*" ClienteAplicacao="TELECOMUNICAÇÕES DE SÃO PAULO S/A (TELESP) - FATURA AUTOENVELOPADA A3 - AT*" |
table pkNmArq, FormatoPapel, ClienteERP, TipoProduto, ClienteAplicacao,PaginasA4CMP, _time] |
eval chaveRicoh = _time+";"+Jobname+";"+PaginasA4Ricoh |
dedup chaveRicoh |
search PaginasA4Ricoh>=1000 |
eval CustoTotal= (('Total K Ink Usage _cc'*custoRicohMlBlack) +
('Total C Ink Usage _cc'*custoRicohMlColor) +
('Total Y Ink Usage _cc'*custoRicohMlColor) +
('Total M Ink Usage _cc'*custoRicohMlColor)) |
fillnull value=0 |
eval CustoMilheiro=((CustoTotal/PaginasA4Ricoh)*1000) |
eval Tipo= if( TipoProduto="AUTOENVELOPADO","AUTOENVELOPADO","INSERIDO") |
eval Produto = ClienteAplicacao."-".Tipo |
timechart span=1week avg(CustoMilheiro) by Produto |
streamstats values(CustoMilheiro) as prev | eval prev=coalesce(prev,CustoMilheiro) | where CustoMilheiro>(1.2*prev)
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
