Solved: Re: How do I set an alert when 95th percentile is ...

mlui_2 · ‎06-19-2018

Hi all,

Here is my base search

index=java  location=APICall api_method=POST Duration |stats   median(Duration) as median, perc70(Duration) as p70, perc90(Duration) as p90, perc95(Duration) as p95, perc99(Duration) as p99

How do I set an alert when 95th percentile is over let's say 30000ms ?

Thanks in advance

pjdwyer · ‎06-19-2018

If I understand your data correctly you would want to add a where statement before the stats statement.

| where perc95(duration) > 30000

and if you want to add more clauses to the statement you can do it this way:

| where (perc70(duration) > 30000) OR (perc90(duration) > 30000) OR (perc95(duration) > 30000) OR (perc99(duration) > 30000)

This statement will remove any information that does not meet the said criteria.

View solution in original post

mlui_2 · ‎06-19-2018

index=java location=APICall api_method=POST Duration |timechart span=5m perc95(Duration) as P95| where P95> 30000ms

mlui_2 · ‎06-19-2018

got it

timechart span=5m perc95(Duration) as P95 | where P95>30000ms

pjdwyer · ‎06-19-2018

If I understand your data correctly you would want to add a where statement before the stats statement.

| where perc95(duration) > 30000

and if you want to add more clauses to the statement you can do it this way:

| where (perc70(duration) > 30000) OR (perc90(duration) > 30000) OR (perc95(duration) > 30000) OR (perc99(duration) > 30000)

This statement will remove any information that does not meet the said criteria.

How do I set an alert when 95th percentile is over the threshold?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor