Alerting

Trigger an alert if criteria met for 24 hours

kteng2024
Path Finder

Hi ,

Below is the query that will run over last 2 weeks of data but I want an alert to trigger only if "good count" is greater than 4 in last 24hrs .

index=abc sourcetype=abc| stats max(resptime) as responstime by _time, name | eval absDev=(abs('response'-median)) | streamstats window=1000 current=true median(absDev) as medianAbsDev by "name" | eval lowerBound=(median-medianAbsDev*exact(20)), upperBound=(median+medianAbsDev*exact(20)) | eval isgoodcount =if('response' < lowerBound OR 'response' > upperBound, 1, 0) | stats sum(isgoodcount) as "good count" by "name" | where 'good count'>4| sort -"good count"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kteng2024,
what's your question?
doesn't this search run?
It seems to be OK (I'd not use apex only brackets and only when there are spaces).
Maybe do you want to calculate upperBound and lowerBound for 4 weeks and responstime for two hours?
If this is your need try something like this

index=abc sourcetype=abc earliest=-2h
| stats max(resptime) as responstime by _time, name 
| eval absDev=(abs(response-median)) 
| append [
     | index=abc sourcetype=abc earliest=-4w
     | eval absDev=(abs(response-median)) 
     | stats median(absDev) as medianAbsDev by "name" 
     | eval 
          lowerBound=(median-medianAbsDev*exact(20)), 
          upperBound=(median+medianAbsDev*exact(20)) 
     | fields medianAbsDev lowerBound upperBound
     ]
| eval isgoodcount =if(response'< lowerBound OR response>upperBound, 1, 0) 
| stats sum(isgoodcount) as "good count" by "name" 
| where 'good count'>4
| sort -"good count"

Please check the field names.

Bye.
Giuseppe

0 Karma

kteng2024
Path Finder

Thank you for the reply. I want the query to run on last 3 weeks data to calculate deviation but trigger alert only if goodcount is greater than 5 in last 4 hrs .

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...