Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trigger alert on value from predict calculation

wbolten
Path Finder
‎03-09-2020 02:45 AM

Hi,

I am trying to build an alert from the following query. The query collects the counters for memory usage, especially the free amount. It plots a time chart of the last 21 days and performs a prediction over the coming 14 days. The graph itself is perfect. It also shows in the prediction that in the next 14 days we run out of memory.

alt text

index=xxxxx host=xxxxx source="Perfmon:Memory" counter="Available MBytes"
| eval Value=(Value/1024)
| timechart span=1d avg(Value) as "Available MBytes", latest(host) as host, latest(counter) as counter
| lookup resource_thresholds.csv resource_name AS host, resource_metric AS counter OUTPUTNEW resource_threshold_warning,resource_threshold_critical
| eval Warning=resource_threshold_warning
| eval Critical=resource_threshold_critical
| predict "Available MBytes" as Prediction future_timespan=14
| eval Prediction = round(Prediction,0)
| fields - lower95(Prediction), upper95(Prediction) resource_threshold_warning resource_threshold_critical host counter

I want to run this as a scheduled alert (email, MS Teams) every night and be informed when the prediction hits 0 or lower somewhere in the future 14 days in this case.

For some reason I cannot seem to get my head around the logic here to trigger the alert. Any suggestions?

Preview file
30 KB
0 Karma
Reply

wbolten
Path Finder
‎03-30-2020 05:36 AM

Right, eventually found something that works for me. Not sure if it is the best way but it does work. Below is the query to get the result shown above.

I simply added in the alert the line
| search Prediction < 2000
Just above the last one where I removed the fields I don't want to see. The result is two dates in the future. the 11th and the 12th of April. So it works and returns the dates to focus on.

For the alert itself the end result needs to be cleaned up but it does what I need.

index=xxxxx host=xxxxx source="Perfmon:Memory" counter="Available MBytes"
| eval Value=round(Value,0)
| timechart span=1d avg(Value) as "Available MBytes", latest(host) as host, latest(counter) as counter partial=false
| lookup resource_thresholds.csv resource_name AS host, resource_metric AS counter OUTPUTNEW resource_threshold_warning,resource_threshold_critical
| eval Warning=resource_threshold_warning
| eval Critical=resource_threshold_critical
| predict "Available MBytes" as Prediction future_timespan=14
| eval Prediction = round(Prediction,0)
| fields - lower95(Prediction), upper95(Prediction) resource_threshold_warning resource_threshold_critical host counter
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...