Splunk Enterprise

Filter condition in a timechart

akpadhi
Explorer

We have following query used for generating few dashboards. However we would like to setup an alert whenever the sum(connection_count) goes above a threshold value say 100. Tried few options but the filter contion is not working. Can someone please help.

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER") | spath cdb | spath pdb | spath application_user | search cdb=* pdb=* application_user = "*" cluster="E3"| timechart span=1H sum(connection_count) by application_user

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

timechart doesn't return fields named sum(connection_count). 

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER")
| spath cdb
| spath pdb
| spath application_user
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=1h _time
| stats sum(connection_count) as connection_count by _time, application_user
| where connection_count > 100

 

 

View solution in original post

0 Karma

akpadhi
Explorer

@ITWhisperer @scelikok I tried above suggestion but the where condition is still not working and not returning any results even though the timechart values are satisfying the condition. Yes either a condition on the alert or in the search would work for me.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

timechart doesn't return fields named sum(connection_count). 

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER")
| spath cdb
| spath pdb
| spath application_user
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=1h _time
| stats sum(connection_count) as connection_count by _time, application_user
| where connection_count > 100

 

 

0 Karma

akpadhi
Explorer

@ITWhisperer Thank you so much, this worked 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By filter condition, are you referring to the custom condition on the alert, because there is a bug in some versions of splunk such that the custom condition does not work properly so doing the filtering in the search (as seen in @scelikok suggestion) is a reasonably workaround

0 Karma

scelikok
SplunkTrust
SplunkTrust

You can try by naming the sum function like below;

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER") 
| spath cdb 
| spath pdb 
| spath application_user 
| search cdb=* pdb=* application_user = "*" cluster="E3" 
| timechart span=1H sum(connection_count) as connection_count by application_user
| where connection_count>100

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...