Re: Creating threshold alerts.

paul_1994 · ‎05-16-2013

I had a request to provide the alert below and I am trying to figure out the best way to tackle it.

run this query every 5 minutes and response time >2000 for more than 10 occurrences then raise email to below group also if possible please plot the timechart with this query

index=xxx_logs service_name=cix* operation=GetTypeFrom* Transaction_time>2000  | timechart max(Transaction_time) by operation

Thanks in Advance!

Update:

I created an alert to run every 5min and to alert if threshold reaches over 10 occurrences.

kristian_kolb · ‎05-17-2013

Hi, the query below would give you a table of operations that have exceeded 2000 (ms?) more than 9 times for the time period searched. I'm not exactly sure that that's what you're asking for, but I think so.

index=xxx_logs service_name=cix* operation=GetTypeFrom* Transaction_Time > 2000 |stats c by operation | where c>9

If you want to make a chart of that, you could replace the stats with a timechart span=5min

Hope this helps,

K

Creating threshold alerts.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation