Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to define 2 thresholds based on time?

cbiraris
Path Finder
‎09-05-2023 01:57 AM

Hi Team,

I am trying to schedule a alert base on threshold for 2 time window.

If fall to 0 events between 23:00 to 07:00
If fall to less then 20 events between   07:00 to 23:00 
 
is it possible to define 2 threshold like above ? in one alert

index=ABC sourcetype=XYZ login |stats count |where count =0 between23:00 to 07:00

index=ABC sourcetype=XYZ login |stats count |where count <=20 between 07:00 to 23:00 

Please advise.

Thank you

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 02:07 AM

Hi @cbiraris,

yes, you have to define a threshold value using eval:

index=ABC sourcetype=XYZ login 
| stats count 
| eval time_hour=strftime(now(),"%H")
| eval threshold=if(time_hour>22 OR time_hour<8,0,20)
| where count<=threshold

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 02:09 AM 
index=ABC sourcetype=XYZ login |stats count |where count=0 OR (count <=20 AND tonumber(strftime(now(),"%H")) >= 7 AND tonumber(strftime(now(),"%H")) < 23)
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 02:07 AM

Hi @cbiraris,

yes, you have to define a threshold value using eval:

index=ABC sourcetype=XYZ login 
| stats count 
| eval time_hour=strftime(now(),"%H")
| eval threshold=if(time_hour>22 OR time_hour<8,0,20)
| where count<=threshold

Ciao.

Giuseppe

Reply
Solved! Jump to solution

cbiraris
Path Finder
‎09-05-2023 02:26 AM

Also, can we define 2 different search run interval in this query ? like below---

index=ABC sourcetype=XYZ login |stats count |where count =0 between23:00 to 07:00, search can be run every after 2 hours to check last 2 hours events 

AND 

index=ABC sourcetype=XYZ login |stats count |where count <=20 between 07:00 to 23:00, , search can be run every after 1 hours to check last 1 hours events 
 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 03:34 AM

You can do this in one alert but it gets a bit messy - you would probably be better off using two alerts with different schedules, time periods and alert criteria

0 Karma
Reply
Solved! Jump to solution

cbiraris
Path Finder
‎09-05-2023 02:16 AM

Thank you @gcusello
Its Working

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...