Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we detect excessive overlapping alerts?

ddrillic
Ultra Champion
‎12-20-2018 09:02 AM

We reach situations in which application teams set their alerts at the top of the hour and when we (the Splunk team) catch it, it might be too late.

Is there a way to produce a report which lists the run times and detect excessive usage times?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-20-2018 11:00 AM

Yeah, you can use the internal index for this. You should explicitly add savedsearch_name for this 

index=_internal savedsearch_name=*
| timechart max(run_time) AS run_time by savedsearch_name

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-20-2018 11:00 AM

Yeah, you can use the internal index for this. You should explicitly add savedsearch_name for this 

index=_internal savedsearch_name=*
| timechart max(run_time) AS run_time by savedsearch_name
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-20-2018 01:41 PM

Thank you @skoelpin.

I changed the max to sum and we can see -

alt text

We can see that at each quarter of the hour we have peak usage.
Can we find out from _internal how many searches were skipped?

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎12-20-2018 01:46 PM

Yes, you sure can! 

index=_internal sourcetype=scheduled status=skipped NOT "_ACCELERATE*"
| timechart count by savedsearch_name
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-20-2018 01:56 PM

Just ran -

index=_internal sourcetype=scheduler status=skipped NOT "_ACCELERATE*"
 | timechart count

It shows -

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-20-2018 01:57 PM

The totals for an hour are -

alt text

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎12-20-2018 02:09 PM

Yeah, you have a problem with skips at 4am. You should trend this over time by using timewrap to see if there's a pattern. Most likely, other searches are competing for resources and they run long and cause skips. You can fix this by changing search priroty away from 0 to auto.

You can split by savedsearch_name or get a total over a span of time by adding span=1h. We use this search to alert us and cut a ticket when we start skipping. Skips are unacceptable for us

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-21-2018 12:39 PM

Much appreciated @skoelpin.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...