Re: How to write condition

yvreddy90 · ‎09-26-2019

(index=logs OR index=audit) AND source="commtasks-logger" AND id=finishedcommtask |stats count by data.succeeded | transpose header_field="data.succeeded" | eval false perc = (f/(f+t))*100 | eval true perc = (t/(f+t))*100

This my query based on this how to write a condition is "false perc >10" trigger alert

Please help me anyone

gcusello · ‎09-26-2019

Hi yvreddy90,
At first you should try your search putting attention to the field names (don't use spaces); false_perc.
Then you have to be sure that "f" and "t" fields have values, so you can calculate the false_perc field.

(index=logs OR index=audit) source="commtasks-logger" id=finishedcommtask 
| stats count by data.succeeded 
| transpose header_field="data.succeeded" 
| eval false_perc=(f/(f+t))*100

then, when you'll be sure of this, at the end of your search you can add the condition:

| where false_perc>10

So if you have results you can trigger the alert.

Bye.
Giuseppe

adonio · ‎09-26-2019

did you try ... | top data.succeeded instead of your ... | stats count ... ?

How to write condition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation