Consult the volume comparison of the last 07 days,...

leandromatperei · ‎06-16-2020

I have the following query below, I need to generate a third column or generate an alarm when the values generated are 80% higher than the last 07 days

earliest=-7d@d index=txt
| eval ELAPTIME = round(ELAPTIME / 100,2)/60
| timechart eval(round(avg(ELAPTIME),2)) as "Job Execution"

Result Splunk:

_time	Job Execution
2020-06-09	55.00
2020-06-10	51.74
2020-06-11	55.74
2020-06-12	70.00
2020-06-13	90.00
2020-06-14	85.00
2020-06-15	150

Note that on June 15, the job had a problem because of his time that was 80% above the other days.

DalJeanis · ‎06-16-2020

There are lots of ways. Here is one.

By the way, this is a comparison of the last 7 full days to the current partial day. The word "ALERT" will appear in a third column if the latest day is at least 80% higher than the prior average.

If you wanted to run this over a month or so, the code would look different.

earliest=-7d@d index=txt
| fields _time ELAPTIME
| bin _time span=1d 
| stats avg(ELAPTIME) as ELAPTIME by _time 
| eventstats max(_time) as maxtime
| eval ELAPTIME = round(ELAPTIME/6000,2)
| eval TODAYTIME=case(_time=maxtime,ELAPTIME)
| eventstats avg(eval(case(_time<maxtime,ELAPTIME))) as AVGTIME 
| eval ALERT=case(TODAYTIME>1.8*AVGTIME,"ALERT")
| table _time ELAPTIME ALERT
| rename ELAPTIME as "Job Execution"

Consult the volume comparison of the last 07 days, above 80% of the value of the last days to alarm.

eval

timechart

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?