Number of Occurrences for certain value for certai...

carlyleadmin · ‎04-25-2019

Hi Splunk Gurus!!!

I have the below query in my environment to find out the seconds it took for the job to complete/not complete.

"Ping to url [/services/Queue/ProcessDius] took" AND "seconds and resulted in status code NoContent"| rex field=_raw "took (?.*) seconds"|where ProcessTime > 60

what i am trying to achieve is that,i wanna create an alert if possible, where the processtime is greater than 60seconds and it happens more than 6 times in 5 minute span.

Thank you for all your help in advance.

adonio · ‎04-25-2019

you will probably want to use streamstats and time_window read here more:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

something like this:
... your search so far ... | sort - _time | streamstats time_window=5m count as high_count_in_five_minutes | where high_count_in_five_minutes >=6

try this search anywhere to better understand how it works:

| gentimes start=-1 increment=30s 
| head 100
| eval _time = starttime 
| eval value = random()%100
| where value > 60
| table _time value
| sort _time
| streamstats time_window=5m count as high_count_in_five_minutes

here is another slightly different approach:

| gentimes start=-1 increment=30s 
| head 100
| eval _time = starttime 
| eval value = random()%100
| table _time value
| sort _time
| eval bad = if(value > 60,1,0)
| where bad = 1
| streamstats time_window=5m count(bad) as bad_count

hope it helps

Number of Occurrences for certain value for certain amount in 5 minute span

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment