Re: How to create an alert on traffic drop Deviati...

shashank_24 · ‎09-05-2022

Hi, I want to create an alert on traffic drop deviation. Something like if the traffic drop by 50% than what was it in last hour or if the traffic drops to zero, then I want the alert triggered.

Creating alert on 0 traffic is easy but that could give false positives as well so I am trying to find a way to alert only if there is a significant deviation.

Is that possible? I have this query at the moment which looks into the incoming requests. I can run the alert every 15 or 30 minutes and want to trigger if there is a deviation.

index=myapp_prod  "message.logPoint"=INCOMING_REQUEST | timechart span=30m count

Best Regards,
Shashank

shashank_24 · ‎09-06-2022

@ITWhisperer This was perfect. Everything I needed. Thanks for the help. 🙂

Just one more thing, Is there a way to compare that with same time frame but from last week? For example 10:00 today Thursday with 10:00 Thursday last week?

ITWhisperer · ‎09-06-2022

There is a timewrap command for this sort of thing.

ITWhisperer · ‎09-05-2022

index=myapp_prod  "message.logPoint"=INCOMING_REQUEST 
| timechart span=30m count
| streamstats window=1 current=f values(count) as previous
| where count / previous < 0.5

How to create an alert on traffic drop Deviation?

using Splunk Enterprise

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann