Alerting

Number of Occurrences for certain value for certain amount in 5 minute span

carlyleadmin
Contributor

Hi Splunk Gurus!!!

I have the below query in my environment to find out the seconds it took for the job to complete/not complete.

"Ping to url [/services/Queue/ProcessDius] took" AND "seconds and resulted in status code NoContent"| rex field=_raw "took (?.*) seconds"|where ProcessTime > 60

alt text

what i am trying to achieve is that,i wanna create an alert if possible, where the processtime is greater than 60seconds and it happens more than 6 times in 5 minute span.

Thank you for all your help in advance.

Tags (1)
0 Karma

adonio
SplunkTrust
SplunkTrust

you will probably want to use streamstats and time_window read here more:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

something like this:
... your search so far ... | sort - _time | streamstats time_window=5m count as high_count_in_five_minutes | where high_count_in_five_minutes >=6

try this search anywhere to better understand how it works:

| gentimes start=-1 increment=30s 
| head 100
| eval _time = starttime 
| eval value = random()%100
| where value > 60
| table _time value
| sort _time
| streamstats time_window=5m count as high_count_in_five_minutes

here is another slightly different approach:

| gentimes start=-1 increment=30s 
| head 100
| eval _time = starttime 
| eval value = random()%100
| table _time value
| sort _time
| eval bad = if(value > 60,1,0)
| where bad = 1
| streamstats time_window=5m count(bad) as bad_count

hope it helps

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!