Alerting

How to setup alert for x% decrease in count by market?

New Member

Hi all,

We are receiving web traffic to one index from multiple markets like the below search. Now we have been asked to setup an alert if there is any decrease in 50% of volume in any market over a time period like an hour or in 30 mins. Can some one help me how to achieve this?

Charting the Traffic by Market wise:

index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded" |timechart count by marketName useother=f usenull=f

Thanks!

0 Karma

Esteemed Legend
0 Karma

Contributor

index=webtraffic sourcetype=mobiletraffic marketName=* eventType="ProductAdded"
| stats count by marketName,date
hour
| delta count as difference
| eval percdif=round((difference/count)*100,0)
| where percdif<-50

This should work and depending on this condition you can do the alert.

New Member

hi @sandeepmakkena ,

It didnt worked. when i run the serach before saving it as alert its not giving me any stats.

Thanks,
Devon

0 Karma

New Member

hi @sandeepmakkena if i remove the date_hour then i get values but its taking the count of all markets as count and taking the difference from that. Is there a way to calculate the difference only from the count of that market alone and then calculate percentage for that market.

thanks,
Devon

0 Karma

Contributor

Hi @datamine I think you will have hour field in your interesting fields.
If not add this | eval date_hour=strftime(_time,"%H") before stats command.

As far count, I did test with my data it is working fine for me, can you add example data.
Thanks for your question.

0 Karma

Motivator

Greetings @datamine,

See my answer here: https://answers.splunk.com/answering/774433/view.html

Everything should apply, but you'll need to change these lines to fit your use case (and the timechart span).

 | eval Alert_Type = case (Percent_Increase_5_Mins>5,"Error",
                           Percent_Increase_3_Mins>5,"Warning")

Cheers,
Jacob

Cheers,
Jacob
0 Karma

New Member

Thanks @jacobevans !

But we dont want to have any static count value to be used rather than a dynamic one based on the previous 30 mins/hour count(a specific market) is reduced more than x% percentage to the count(only that market now in last 30min/hour) then it should alert.

Cheers,
Devon

0 Karma

Motivator

That's exactly what it does 🙂 The "5" is a hard-coded percent - not count.

Cheers,
Jacob
0 Karma