Solved: Re: Threshold varies base on time

cbiraris · ‎06-07-2023

Hi Team,

I am trying to schedule a alert base on threshold for 2 time window.

100 events between 00:00 to 14:00
20 events between 14:00 to 00:00

is it possible to define 2 threshold like above ? in one alert

index=ABC sourcetype=XYZ failedlogin |stats count |where count >100 between 00:00 to 14:00

index=ABC sourcetype=XYZ failedlogin |stats count |where count >20 between 14:00 to 00:00

gcusello · ‎06-07-2023

Hi @cbiraris,

please try this.

index=ABC sourcetype=XYZ failedlogin 
| stats count earliest(_time) AS _time
| eval time_hour=strftime(_time,"%H")
| eval threeshold=if(time_hour<15,100,20)
| where count>threeshold

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-07-2023

Hi @cbiraris,

please try this.

index=ABC sourcetype=XYZ failedlogin 
| stats count earliest(_time) AS _time
| eval time_hour=strftime(_time,"%H")
| eval threeshold=if(time_hour<15,100,20)
| where count>threeshold

Ciao.

Giuseppe

cbiraris · ‎06-07-2023

Thank you @gcusello
Its working

Is it possible to define 2 threshold based on time?

configuration

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor