- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how do i calculate the average of logs received from a sourcetype over last 30 days and compare FOR EACH SOURCETYPE if percentage of dip is more than 70% in last 24 hours when compared to average logs for that particular sourcetype
| metadata type=sourcetypes index=* group by index
| search sourcetype=*
| where lastTime < (now() - 86400)
| eval Duration=tostring(now() - lastTime,"duration")
| search Duration="*"
| fields sourcetype lastTime Duration
| sort - lastTime
| eval lastTime = strftime(lastTime,"%Y/%m/%d %H:%M" )
| rex field=Duration "(?(\d+))+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something along those lines, search for the last 30 (or 31 days)
| tstats count as event_count where index=_internal by sourcetype _time span=24h
| eventstats avg(event_count) as days_avg by sourcetype
| eval delta = round(event_count - days_avg, 2)
| eval perc_change = round((event_count / days_avg) * 100, 2)
| where _time >= now() - 86400
| eval alert = if(perc_change > 70 AND delta < 0,"ALERT","OK")
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like the concept.. the only thing which is varying is Event Count is less than days average.
Instead Event count should be number of logs received over a time (example- time picker lets say 30 days)
and Days_avg should be average of event count of 30 days divided by 30 (eventcount/30)
percentage change should be number of events received in last 24 hours should a dip of more than 70 percent when compared with Days_avg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats count as event_count where index=_internal by sourcetype _time span=24h
| eval day=strftime(_time,"%d")
| eventstats dc(eval(strftime(_time,"%d"))) as days
| eventstats sum(event_count) as days_total by sourcetype
| eval days_avg= round(days_total / days, 2)
| eval perc_change = round((event_count / days_avg) * 100, 2)
| eval delta = round(event_count - days_avg, 2)
| where _time >= now() - 86400
| eval alert = if(perc_change > 70 AND delta < 0,"ALERT","OK")
Thanks @adonio
I modify the query for @adonio .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's the average of logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa Overage count of logs(events) received over a specific time
