how to build a report/alert with the values of pre...

marisstella · ‎05-05-2020

Hi All,
here I'm trying to build a query, which produces the values of yesterday and today.

earliest=-1d@d latest=@d index="summary" | stats count(count) as yesterday_count by orig_sourcetype | appendcols [ search earliest=@d latest=now index="summary" | stats count(count) as today_count by orig_sourcetype]

What I'm looking for is, I want a report of day-1, day-2, day-3, day-4..
if anyone of the day-4 count is more/less than 30% of previous days.. It should trigger the alert.

shivanshu1593 · ‎05-05-2020

Taking your search into consideration, I'm assuming that the count field is already present in your data. Here's a simple way to achieve and alert when the percentage of today's data is more than 30% of the count of previous data.

index=summary | autoregress count p=1-4 | eval previous_days_count = count_p2 + count_p3 + count_p4 | eval percentage = (previous_days_count * 100 / count_p1) | where percentage>30

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

marisstella · ‎05-13-2020

Thanks for the response... I'm confused.. Where are you taking AVG of previous days counts and compare with latest counts?

how to build a report/alert with the values of previous weeks?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...