how to write a dynamic thresholds function in the ...

rajupasula · ‎12-10-2018

My requirement is I have to write a search query with eval function which should set the CPU threshold value dynamically

Ex: cpu usage >50 it should return value with "CPU usage is normal".
cpu usage <50 & >75 it should return value "CPU usage is warning".
cpu usage <75 it should return value "CPU usage is warning".

I have tried with case(...). but I want below query in any custom function

index="my_index" source="data.csv"
| eval Threshold=case(cpuusage<=50, "CPU usage is normal", cpuusage>50 AND cpuusage<=75, "CPU usage is warning ", cpuusage>75,"Critical") | table cpuusage Threshold by traceid

please do help me on this

gcusello · ‎12-10-2018

Hi rajupasula,
what do you want a table or a stat?
if a table try with:

index="my_index" source="data.csv"
| eval Threshold=case(cpuusage<51,"CPU usage is normal", cpuusage<76,"CPU usage is warning",cpuusage>75,"Critical") 
| table cpuusage Threshold

if you want a stat, try with:

index="my_index" source="data.csv"
| eval Threshold=case(cpuusage<51,"CPU usage is normal", cpuusage<76,"CPU usage is warning",cpuusage>75,"Critical") 
| stats count BY Threshold

Bye.
Giuseppe

how to write a dynamic thresholds function in the Splunk search with eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation