Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring 15% drop in logins with delta

hornettj
New Member
‎02-14-2016 01:15 AM

Hi bit of background, I am trying to monitor a 15% drop in logins using the delta command at the moment over Last 15mins

I am using the below search as my test:
index=*_XXXX_app AND (/security/session) | eval call=case(uri like "/security/session%","Login") | timechart count span=5m | delta count as difference | eval percdif=round(abs(difference/count)*100,0)

My Final Search which I will use to create an alert is:
index=*_XXXX_app AND (/security/session) | eval call=case(uri like "/security/session%","Login") | timechart count span=5m | delta count as difference | eval percdif=round(abs(difference/count)*100,0) | where percdif>=15 AND difference<0 | eval mesg="Suspected Service Impact 15 Percent drop in Traffic" | table _time mesg

The problem I have is it keeps triggering against the last minute

example if I run it I get

_time count difference percdif
2016-02-14 08:45:00 258

2016-02-14 08:50:00 377 119 32
2016-02-14 08:55:00 358 -19 5
2016-02-14 09:00:00 15 -343 2287

It does not like the first and last minute of data, do I need to find away to get it to ignore the last minute?

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎02-14-2016 06:20 AM

Try the option partial=false in timechart to exclude the partial buckets(beginning and end)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

hornettj
New Member
‎02-14-2016 06:26 AM

Unfortunately that still did not work

I think I found a work around by using a relative searc
Relative:
Earliest = 12min “Beginning of minute”
Latest = “Beginning of current minute”

So far its behaving

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...