Alerting

how to check the events occuring from start of month to 15th date of month using splunk

susri4
New Member

Hi,

I want to create the alert using which I could get the email notification if the count of events has crossed a particular threshold  between start of month till 15th day of month.

my query is this:

index=akm_ing "xyz.ex.com" "aagkeyid":"49005" |stats count | where count > 600000

Can you please help me in how to achieve this

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust
earliest=@mon latest=@mon+15d
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @susri4,

you should add a condition dividing the first 15 days from the second, something like this:

index=akm_ing "xyz.ex.com" "aagkeyid":"49005" 
| eval divide=if(date_mday<16,"First","Second")
| stats count BY divide
| where count > 600000

if you haven't the field date_mday, you can calculate it:

index=akm_ing "xyz.ex.com" "aagkeyid":"49005" 
| eval divide=if(strftime(_time),"%d")<16,"First","Second")
| stats count BY divide
| where count > 600000

Ciao.

Giuseppe

0 Karma

susri4
New Member

Just a query:- 

Can i achieve this by playing around with  earliest and latest time modifiers:y

earliest = @mon --this will give start of month

latest = ? ---I'm unable to define 15th day of month here. 

Can you help me in getting right value for latest ...

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...