Splunk Enterprise

Filter condition in a timechart

akpadhi
Explorer

We have following query used for generating few dashboards. However we would like to setup an alert whenever the sum(connection_count) goes above a threshold value say 100. Tried few options but the filter contion is not working. Can someone please help.

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER") | spath cdb | spath pdb | spath application_user | search cdb=* pdb=* application_user = "*" cluster="E3"| timechart span=1H sum(connection_count) by application_user

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

timechart doesn't return fields named sum(connection_count). 

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER")
| spath cdb
| spath pdb
| spath application_user
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=1h _time
| stats sum(connection_count) as connection_count by _time, application_user
| where connection_count > 100

 

 

View solution in original post

0 Karma

akpadhi
Explorer

@ITWhisperer @scelikok I tried above suggestion but the where condition is still not working and not returning any results even though the timechart values are satisfying the condition. Yes either a condition on the alert or in the search would work for me.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

timechart doesn't return fields named sum(connection_count). 

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER")
| spath cdb
| spath pdb
| spath application_user
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=1h _time
| stats sum(connection_count) as connection_count by _time, application_user
| where connection_count > 100

 

 

0 Karma

akpadhi
Explorer

@ITWhisperer Thank you so much, this worked 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By filter condition, are you referring to the custom condition on the alert, because there is a bug in some versions of splunk such that the custom condition does not work properly so doing the filtering in the search (as seen in @scelikok suggestion) is a reasonably workaround

0 Karma

scelikok
SplunkTrust
SplunkTrust

You can try by naming the sum function like below;

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER") 
| spath cdb 
| spath pdb 
| spath application_user 
| search cdb=* pdb=* application_user = "*" cluster="E3" 
| timechart span=1H sum(connection_count) as connection_count by application_user
| where connection_count>100

 

If this reply helps you an upvote is appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...