Alerting

When the following search sees a percentage increase, can you help me create an alarm on it?

amirarsalan
Explorer

Hi, I have a search that looks like this:

index=loadbalancer r_host="sport.mtm.com"  req="/api/v2/log/exception" 

Now, I want to create an alarm on it. I want it to alarm when it sees a percentage increase.

Can anyone help me?

Tags (2)
0 Karma
1 Solution

vishaltaneja070
Motivator

@amirarsalan
Try this:

index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50

View solution in original post

vishaltaneja070
Motivator

@amirarsalan
Try this:

index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50

vishaltaneja070
Motivator

Hello @amirasalan

Is there percentage field available in data?

Or you want based on no of events per minutes or hour etc?

0 Karma

amirarsalan
Explorer

Hi @vishaltaneja07011993

I want it on number on event per hour. But i only want alert when it sees a percentage increase.

0 Karma

vishaltaneja070
Motivator

Try something:

index=* earliest=-2h latest=-1h | stats count | appendcols [ search index=* earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 0

Now you can create a alert based on the above search.

0 Karma

amirarsalan
Explorer

I don't receive any results, should it be like that? and the other question is what value should i use when i create the alert on the trigger conditions? see the link picture
https://www.google.com/search?q=create+alert+splunk&rlz=1C1GCEB_enSE814SE814&source=lnms&tbm=isch&sa...

0 Karma

amirarsalan
Explorer

I only see events not statistic

0 Karma

vishaltaneja070
Motivator
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception"  earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception"  earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 0
0 Karma

vishaltaneja070
Motivator

Did you try this?

0 Karma

amirarsalan
Explorer

Now i got results -100,00
I believe its right.
How do I create alert on that

0 Karma

vishaltaneja070
Motivator

You can save the search as Alert.

0 Karma

amirarsalan
Explorer

Thanks, i'm i kind of newbee hehe. in Trigger Conditions what value should i put

0 Karma

vishaltaneja070
Motivator

You can put the condition when number of results is more than 0.

0 Karma

amirarsalan
Explorer

Okey i will do that. Last question, so the alert will trigger when its sees a big percentage increase. I forgot to mention that. I want it to trigger when it's a big percentage increase

0 Karma

vishaltaneja070
Motivator

Okay at what percentage you want alert?

0 Karma

amirarsalan
Explorer

50 % at least

0 Karma

vishaltaneja070
Motivator

try this then:
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50

0 Karma

amirarsalan
Explorer

Perfect should i still use "number of results is more than 0."

0 Karma

vishaltaneja070
Motivator

Yup correct.

please accept the answer so that thread can be closed

0 Karma

amirarsalan
Explorer

Thanks a lot

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...