Splunk Enterprise

How to create an alert on traffic drop Deviation?

shashank_24
Path Finder

Hi, I want to create an alert on traffic drop deviation. Something like if the traffic drop by 50% than what was it in last hour or if the traffic drops to zero, then I want the alert triggered.

Creating alert on 0 traffic is easy but that could give false positives as well so I am trying to find a way to alert only if there is a significant deviation.

Is that possible? I have this query at the moment which looks into the incoming requests. I can run the alert every 15 or 30 minutes and want to trigger if there is a deviation.

 

index=myapp_prod  "message.logPoint"=INCOMING_REQUEST | timechart span=30m count

 

Best Regards,
Shashank

Labels (1)
0 Karma

shashank_24
Path Finder

@ITWhisperer This was perfect. Everything I needed. Thanks for the help. 🙂

Just one more thing, Is there a way to compare that with same time frame but from last week? For example 10:00 today Thursday with 10:00 Thursday last week?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There is a timewrap command for this sort of thing.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=myapp_prod  "message.logPoint"=INCOMING_REQUEST 
| timechart span=30m count
| streamstats window=1 current=f values(count) as previous
| where count / previous < 0.5
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...