Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setup alert for two thresholds

sivaranjani
Explorer
‎12-23-2024 11:32 AM

I want to set up splunk alert that can have two threshold 
1. if the time is between 8 AM to 5PM - alert if AvgDuration is greater than 1000ms

2. If time is between 5pm to next day 8AM - alert if avgduration is greater than 500ms

How do i implement this

Query am working on

<mySearch>| bin _time span=1m|
stats avg(msg.DurationMs) AS AvgDuration by _time, msg.Service | where AvgDuration > 1000
0 Karma
Reply

marnall
Motivator
‎12-23-2024 11:49 AM

You could calculate the current hour of the alert execution, then adjust the threshold at the end.

<mySearch>
| bin _time span=1m
| stats avg(msg.DurationMs) AS AvgDuration by _time, msg.Service
| eval hour = strftime(now(),"%H")
| where (AvgDuration > 1000 and hour >= 8 and hour < 17) or (AvgDuration > 500 AND (hour < 8 OR hour >= 17))
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...