We are receiving web traffic to one index from multiple markets like the below search. Now we have been asked to setup an alert if there is any decrease in 50% of volume in any market over a time period like an hour or in 30 mins. Can some one help me how to achieve this?
Charting the Traffic by Market wise:
index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded" |timechart count by marketName useother=f usenull=f
index=webtraffic sourcetype=mobiletraffic marketName=* eventType="ProductAdded"
| stats count by marketName,datehour
| delta count as difference
| eval percdif=round((difference/count)*100,0)
| where percdif<-50
This should work and depending on this condition you can do the alert.
hi @sandeepmakkena if i remove the date_hour then i get values but its taking the count of all markets as count and taking the difference from that. Is there a way to calculate the difference only from the count of that market alone and then calculate percentage for that market.
Hi @datamine I think you will have hour field in your interesting fields.
If not add this
| eval date_hour=strftime(_time,"%H") before stats command.
As far count, I did test with my data it is working fine for me, can you add example data.
Thanks for your question.
See my answer here: https://answers.splunk.com/answering/774433/view.html
Everything should apply, but you'll need to change these lines to fit your use case (and the timechart
| eval Alert_Type = case (Percent_Increase_5_Mins>5,"Error", Percent_Increase_3_Mins>5,"Warning")
Thanks @jacobevans !
But we dont want to have any static count value to be used rather than a dynamic one based on the previous 30 mins/hour count(a specific market) is reduced more than x% percentage to the count(only that market now in last 30min/hour) then it should alert.