Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert when total number of events are above 20 per second, continuously for 5 mins

VS0909
Communicator
‎06-14-2021 12:04 AM

I have to trigger an alert if total number of events are above 20 per second, continuously for 5 mins.

Query :

index=abc  host = "123" earliest= -5m latest=now |  bucket _time span=1s | stats count  as Total by _time 

Alert should trigger only when 'Total' is above 20 for all the query results.

 

0 Karma
Reply

VS0909
Communicator
‎06-15-2021 03:16 AM

Appreciate your reply!

@ITWhisperer  There could be a scenario when there is no data between five minutes,  in that scenario it will trigger a false alert as there will be zero results. Can you please help to fix this scenario.

Thanks!

0 Karma
Reply

VS0909
Communicator
‎06-15-2021 02:12 AM

Appreciate your reply!

@ITWhisperer  There could be a scenario when there is no data between five minutes,  in that scenario it will trigger a false alert as there will be zero results. Can you please help to fix this scenario.

Thanks!

0 Karma
Reply

VS0909
Communicator
‎06-14-2021 03:12 AM

Thanks for the reply!

I have one query @ITWhisperer . If we consider time from 1:00:00 to 1:05:00 and there are no events between 1:03 to 1:04, then there will be no data for this time frame in the query results.  In that case alert may trigger even when condition is not met. Is there any way to check that event total is displayed for every second, and if data is not present for a time duration, it should take total for that time duration as 0.

Please advise.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2021 03:40 AM

You could try

index=abc  host = "123" earliest= -5m latest=now 
|  bucket _time span=1s 
| stats count  as Total by _time
| makecontinuous _time
| eval Total=coalesce(Total,0)
| where Total <= 20
| appendpipe [stats count | where count = 0]
| eval allover20 = if(count = 0,"True",null)
| fields allover20
Reply

VS0909
Communicator
‎06-14-2021 12:22 AM

Thanks for the reply, but I want the total count of events in every second for 5 mins, then trigger an  alert when 'Total' is above 20 for all the query results. Can you please help with that.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2021 03:27 AM 
index=abc  host = "123" earliest= -5m latest=now 
|  bucket _time span=1s 
| stats count  as Total by _time
| makecontinuous _time span=1s
| eval Total=coalesce(Total,0)
| appendpipe [stats count | where count = 0 | rename count as Total]
| where Total <= 20
| appendpipe [stats count | where count = 0]
| eval allover20 = if(count = 0,"True",null)
| fields allover20
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2021 12:22 AM 
index=abc  host = "123" earliest= -5m latest=now 
|  bucket _time span=1s 
| stats count  as Total by _time
| where Total <= 20
| appendpipe [stats count | where count = 0]
| eval allover20 = if(count = 0,"True",null)
| fields allover20
Reply

VS0909
Communicator
‎06-14-2021 12:34 AM

Thanks for the reply! Can you please help me understand that this query will help trigger an alert only when count is above 20 for all the rows returned. I am confused why are we doing " where count=0" ? Please advise

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2021 12:39 AM

I flipped the query on its head, given that you want all counts to be over 20, if any are 20 or less, then not all are over 20, so if any rows remain you don't want to alert, it there are no rows (with count 20 or less), you want a result, which is what the appendpipe does. Then you simply eval a field and that is your trigger for the alert

Reply

VS0909
Communicator
‎06-14-2021 12:50 AM

Appreciate your reply!

I understood that part, but why are we doing  "where count=0 "

in appendpipe command ?

Thanks again!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2021 01:06 AM 
| where Total <= 20

will remove all the events if they are all over 20, so you could try alerting for zero results, alternatively, the appendpipe creates an event when there are no events, so you could alert on that.

Reply

VS0909
Communicator
‎06-14-2021 12:59 AM

Appreciate your reply!

I understood that part, but why are we doing  "where count=0 "

in appendpipe command ? @ITWhisperer 

Thanks again!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2021 12:19 AM
You could try streamstats with window parameter.
https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Streamstats
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...