How do I send an alert when the last 7 events of "...

marvinlee93 · ‎11-29-2018

I would like to send an alert when the last 7 events of "fieldname" are increasing.

And a table/timechart to display the time, indexes when it happens.

Anybody knows how to do this?

whrg · ‎11-30-2018

Perhaps streamstats can help you here.

I just played around with this search:

| makeresults count=20 | eval value=random()%100
| streamstats window=2 min(value) as minimum
| eval is_increase=if(value!=minimum,1,0)
| streamstats window=7 sum(is_increase) as increases

Now when searching for "increases>=7" should give you 7 subsequent increases.

marvinlee93 · ‎12-02-2018

Hi, it's working. Thank you! Just to check this comment '| streamstats window=7 sum(is_increase) as increases
' means that the maximum count of INCREASES will only be 7? since the window size is 7?

whrg · ‎12-03-2018

True, the maxium count will only be 7. So it should be "search increases=7" instead of "search increases>=7".

I modified the search a little to make it somewhat easier:

How do I send an alert when the last 7 events of "fieldname" are increasing?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...