Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to Setup splunk alert for total percentage jobs failure.

alamma8
Loves-to-Learn
‎10-05-2020 07:02 AM

Using EMR Spark & all the logs goes to splunk & there are multiple type of jobs running in the cluster. I want to setup splunk alert,if more that 5% total no. of jobs failed then we get the alert.

0 Karma
Reply

alamma8
Loves-to-Learn
‎10-06-2020 06:49 PM

Hi,

Thanks for you reply.

using following query i am able to get all the failed jobs.

index=emr | search applicationType=SPARK finalStatus=FAILED

In our environment more than 300 jobs are running per day.(batch jobs & streaming jobs).

#1:-I want to setup an alert, if fail jobs count reach to 5% then it trigger the alert.

#2:-Numbers of job can be fluctuate. some day total count would be more than 300 or less than 300. So percent (5%) should be on actual count. like total count of the day is 280. then what would be the parameter.

Please give me the query what should i need to run.

Thanks in Advanced

0 Karma
Reply

alamma8
Loves-to-Learn
‎10-05-2020 08:51 PM

Hi,

Thanks for you reply.

using following query i am able to get all the failed jobs.

index=emr | search applicationType=SPARK finalStatus=FAILED

In our environment more than 300 jobs are running per day.(batch jobs & streaming jobs).

#1:-I want to setup an alert, if fail jobs count reach to 5% then it trigger the alert.

#2:-Numbers of job can be fluctuate. some day total count would be more than 300 or less than 300. So percent (5%) should be on actual count. like total count of the day is 280. then what would be the parameter.

Please give me the query what should i need to run.

Thanks in Advanced.

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-05-2020 07:39 AM

In general, since the question does not contain specifics about the data, you'll need a count of all jobs as well as a count of jobs that failed.  Use math to find the failure percentage.

your search | eval fail = if(test for failure, 1, 0)
| stats count as total, sum(fail) as failures
| eval pct = failures * 100 / total
| where pct > 5
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...