Eval threshold for a specific day of the week

dcraven02 · ‎03-26-2018

Each Monday the skype call logs have a low count;

e.g skypeuk is around 30 and skypeus is around 200 events whereas the rest of the week skypeuk is 290 and skypeus is 700.

How do I add in an exception for this or a separate search for this for to run a separate search if the day is Monday.

| tstats count as "Data Received" where index=msexchange  host=opspkhf03p  source=otl_dbin_skypeuk
| eval result=if('Data Received'> 290, "PASS", "FAIL")
| eval host="opspkhf03p"
| append 
    [| tstats count as "Data Received" where  index=msexchange  host=opspkhf03p source=skypeus
| eval result=if('Data Received'> 700, "PASS", "FAIL")
| eval host="opspkhf03p"]
| table host, "Data Received", result

tiagofbmm · ‎03-26-2018

You can do the tstats by _time and then evaluate if it is a Monday or not:

 | tstats count where index=_internal by _time span=1d
 | eval date_wday=strftime(_time,"%A")
 | eval result=if(count> 700 AND date_wday=="Monday", "PASS", "FAIL")

Eval threshold for a specific day of the week

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Eval threshold for a specific day of the week

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey