Splunk Search
Highlighted

Alert for events over a certain amount and over a certain percentage change

Motivator

I am trying to create an alert which will notify me when the percentage change in the delta/difference of events exceeds 100% (minimum of 10 events as I want to try and eliminate the influence of low numbers on the percentage change, i.e., going from 1 event to 6, etc.)

My search query as follows:

index=indexname earliest=-1h Subject="xzy" SenderAddress="xyz@xyz.edu"
| timechart span=1h partial=false count
| delta count as difference
| eval difference=coalesce(difference,0)
| eval percentDifference =round(abs(difference/(count - difference))*100)
| where (difference > 1 AND percentDifference > 100)
| where count > 10

Just wanted to see if a) there was a more efficient way to run this query and b) confirm that this search should be ran every hour and 10 minutes or so (there is a lag time of the logs flowing in that's about 10 minutes behind).

Thx

0 Karma
Highlighted

Re: Alert for events over a certain amount and over a certain percentage change

Esteemed Legend

You can use index_earliest and index_latest to help cover late arriving events.

View solution in original post

Highlighted

Re: Alert for events over a certain amount and over a certain percentage change

Motivator

Awesome - thx!

0 Karma
Highlighted

Re: Alert for events over a certain amount and over a certain percentage change

Motivator

Plugged the following into the query to search for events indexed in the previous hour:

index=indexname indexearliest=-h@h indexlatest=@h Subject="xzy" SenderAddress="xyz@xyz.edu"

0 Karma