Hi, I have a search that looks like this:
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception"
Now, I want to create an alarm on it. I want it to alarm when it sees a percentage increase.
Can anyone help me?
@amirarsalan
Try this:
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50
@amirarsalan
Try this:
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50
Hello @amirasalan
Is there percentage field available in data?
Or you want based on no of events per minutes or hour etc?
Hi @vishaltaneja07011993
I want it on number on event per hour. But i only want alert when it sees a percentage increase.
Try something:
index=* earliest=-2h latest=-1h | stats count | appendcols [ search index=* earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 0
Now you can create a alert based on the above search.
I don't receive any results, should it be like that? and the other question is what value should i use when i create the alert on the trigger conditions? see the link picture
https://www.google.com/search?q=create+alert+splunk&rlz=1C1GCEB_enSE814SE814&source=lnms&tbm=isch&sa...
I only see events not statistic
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 0
Did you try this?
Now i got results -100,00
I believe its right.
How do I create alert on that
You can save the search as Alert.
Thanks, i'm i kind of newbee hehe. in Trigger Conditions what value should i put
You can put the condition when number of results is more than 0.
Okey i will do that. Last question, so the alert will trigger when its sees a big percentage increase. I forgot to mention that. I want it to trigger when it's a big percentage increase
Okay at what percentage you want alert?
50 % at least
try this then:
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50
Perfect should i still use "number of results is more than 0."
Yup correct.
please accept the answer so that thread can be closed
Thanks a lot