Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to Setup splunk alert for total percentage jobs failure.

alamma8
Loves-to-Learn
‎10-05-2020 07:02 AM

Using EMR Spark & all the logs goes to splunk & there are multiple type of jobs running in the cluster. I want to setup splunk alert,if more that 5% total no. of jobs failed then we get the alert.

0 Karma
Reply

alamma8
Loves-to-Learn
‎10-06-2020 06:49 PM

Hi,

Thanks for you reply.

using following query i am able to get all the failed jobs.

index=emr | search applicationType=SPARK finalStatus=FAILED

In our environment more than 300 jobs are running per day.(batch jobs & streaming jobs).

#1:-I want to setup an alert, if fail jobs count reach to 5% then it trigger the alert.

#2:-Numbers of job can be fluctuate. some day total count would be more than 300 or less than 300. So percent (5%) should be on actual count. like total count of the day is 280. then what would be the parameter.

Please give me the query what should i need to run.

Thanks in Advanced

0 Karma
Reply

alamma8
Loves-to-Learn
‎10-05-2020 08:51 PM

Hi,

Thanks for you reply.

using following query i am able to get all the failed jobs.

index=emr | search applicationType=SPARK finalStatus=FAILED

In our environment more than 300 jobs are running per day.(batch jobs & streaming jobs).

#1:-I want to setup an alert, if fail jobs count reach to 5% then it trigger the alert.

#2:-Numbers of job can be fluctuate. some day total count would be more than 300 or less than 300. So percent (5%) should be on actual count. like total count of the day is 280. then what would be the parameter.

Please give me the query what should i need to run.

Thanks in Advanced.

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-05-2020 07:39 AM

In general, since the question does not contain specifics about the data, you'll need a count of all jobs as well as a count of jobs that failed.  Use math to find the failure percentage.

your search | eval fail = if(test for failure, 1, 0)
| stats count as total, sum(fail) as failures
| eval pct = failures * 100 / total
| where pct > 5
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...