how to write a dynamic thresholds function in the ...

rajupasula · ‎12-10-2018

My requirement is I have to write a search query with eval function which should set the CPU threshold value dynamically

Ex: cpu usage >50 it should return value with "CPU usage is normal".
cpu usage <50 & >75 it should return value "CPU usage is warning".
cpu usage <75 it should return value "CPU usage is warning".

I have tried with case(...). but I want below query in any custom function

index="my_index" source="data.csv"
| eval Threshold=case(cpuusage<=50, "CPU usage is normal", cpuusage>50 AND cpuusage<=75, "CPU usage is warning ", cpuusage>75,"Critical") | table cpuusage Threshold by traceid

please do help me on this

gcusello · ‎12-10-2018

Hi rajupasula,
what do you want a table or a stat?
if a table try with:

index="my_index" source="data.csv"
| eval Threshold=case(cpuusage<51,"CPU usage is normal", cpuusage<76,"CPU usage is warning",cpuusage>75,"Critical") 
| table cpuusage Threshold

if you want a stat, try with:

index="my_index" source="data.csv"
| eval Threshold=case(cpuusage<51,"CPU usage is normal", cpuusage<76,"CPU usage is warning",cpuusage>75,"Critical") 
| stats count BY Threshold

Bye.
Giuseppe

how to write a dynamic thresholds function in the Splunk search with eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases