Splunk Enterprise

Filter condition in a timechart

akpadhi
Explorer

We have following query used for generating few dashboards. However we would like to setup an alert whenever the sum(connection_count) goes above a threshold value say 100. Tried few options but the filter contion is not working. Can someone please help.

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER") | spath cdb | spath pdb | spath application_user | search cdb=* pdb=* application_user = "*" cluster="E3"| timechart span=1H sum(connection_count) by application_user

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

timechart doesn't return fields named sum(connection_count). 

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER")
| spath cdb
| spath pdb
| spath application_user
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=1h _time
| stats sum(connection_count) as connection_count by _time, application_user
| where connection_count > 100

 

 

View solution in original post

0 Karma

akpadhi
Explorer

@ITWhisperer @scelikok I tried above suggestion but the where condition is still not working and not returning any results even though the timechart values are satisfying the condition. Yes either a condition on the alert or in the search would work for me.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

timechart doesn't return fields named sum(connection_count). 

 

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER")
| spath cdb
| spath pdb
| spath application_user
| search cdb=* pdb=* application_user = "*" cluster="E3"
| bin span=1h _time
| stats sum(connection_count) as connection_count by _time, application_user
| where connection_count > 100

 

 

0 Karma

akpadhi
Explorer

@ITWhisperer Thank you so much, this worked 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By filter condition, are you referring to the custom condition on the alert, because there is a bug in some versions of splunk such that the custom condition does not work properly so doing the filtering in the search (as seen in @scelikok suggestion) is a reasonably workaround

0 Karma

scelikok
SplunkTrust
SplunkTrust

You can try by naming the sum function like below;

index=app sourcetype=DBConnectionUsage NOT(application_user="No User" OR application_user="SYS" OR application_user="C##GGS_OWNER") 
| spath cdb 
| spath pdb 
| spath application_user 
| search cdb=* pdb=* application_user = "*" cluster="E3" 
| timechart span=1H sum(connection_count) as connection_count by application_user
| where connection_count>100

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...