Alerting

Number of Occurrences for certain value for certain amount in 5 minute span

carlyleadmin
Contributor

Hi Splunk Gurus!!!

I have the below query in my environment to find out the seconds it took for the job to complete/not complete.

"Ping to url [/services/Queue/ProcessDius] took" AND "seconds and resulted in status code NoContent"| rex field=_raw "took (?.*) seconds"|where ProcessTime > 60

alt text

what i am trying to achieve is that,i wanna create an alert if possible, where the processtime is greater than 60seconds and it happens more than 6 times in 5 minute span.

Thank you for all your help in advance.

Tags (1)
0 Karma

adonio
Ultra Champion

you will probably want to use streamstats and time_window read here more:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

something like this:
... your search so far ... | sort - _time | streamstats time_window=5m count as high_count_in_five_minutes | where high_count_in_five_minutes >=6

try this search anywhere to better understand how it works:

| gentimes start=-1 increment=30s 
| head 100
| eval _time = starttime 
| eval value = random()%100
| where value > 60
| table _time value
| sort _time
| streamstats time_window=5m count as high_count_in_five_minutes

here is another slightly different approach:

| gentimes start=-1 increment=30s 
| head 100
| eval _time = starttime 
| eval value = random()%100
| table _time value
| sort _time
| eval bad = if(value > 60,1,0)
| where bad = 1
| streamstats time_window=5m count(bad) as bad_count

hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...