Consult the volume comparison of the last 07 days,...

leandromatperei · ‎06-16-2020

I have the following query below, I need to generate a third column or generate an alarm when the values generated are 80% higher than the last 07 days

earliest=-7d@d index=txt
| eval ELAPTIME = round(ELAPTIME / 100,2)/60
| timechart eval(round(avg(ELAPTIME),2)) as "Job Execution"

Result Splunk:

_time	Job Execution
2020-06-09	55.00
2020-06-10	51.74
2020-06-11	55.74
2020-06-12	70.00
2020-06-13	90.00
2020-06-14	85.00
2020-06-15	150

Note that on June 15, the job had a problem because of his time that was 80% above the other days.

DalJeanis · ‎06-16-2020

There are lots of ways. Here is one.

By the way, this is a comparison of the last 7 full days to the current partial day. The word "ALERT" will appear in a third column if the latest day is at least 80% higher than the prior average.

If you wanted to run this over a month or so, the code would look different.

earliest=-7d@d index=txt
| fields _time ELAPTIME
| bin _time span=1d 
| stats avg(ELAPTIME) as ELAPTIME by _time 
| eventstats max(_time) as maxtime
| eval ELAPTIME = round(ELAPTIME/6000,2)
| eval TODAYTIME=case(_time=maxtime,ELAPTIME)
| eventstats avg(eval(case(_time<maxtime,ELAPTIME))) as AVGTIME 
| eval ALERT=case(TODAYTIME>1.8*AVGTIME,"ALERT")
| table _time ELAPTIME ALERT
| rename ELAPTIME as "Job Execution"

Consult the volume comparison of the last 07 days, above 80% of the value of the last days to alarm.

eval

timechart

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?