Splunk Search

How to alert based off the last reported number in a stats count

sbattista09
Contributor

How to alert based off the last reported number in a time chart. I want to alert based on a comparison of the last two numbers where if it that value grew more than x%, I want it to alert.

0 Karma
1 Solution

woodcock
Esteemed Legend

add this:

 | tail 2 | reverse | autoregress count | eval pct_increase=100 * (count - count_p1)/count | where pct_increase > X

View solution in original post

woodcock
Esteemed Legend

add this:

 | tail 2 | reverse | autoregress count | eval pct_increase=100 * (count - count_p1)/count | where pct_increase > X

sbattista09
Contributor

so this is great however the pct_increase (i renamed it to pct_diff) is not putting a decimal so for instance
count count_p1 pct_diff
18.32 10.25 807
pct_diff should be 8.07

i fixed it by adding a decimal
| eval pct_increase=1.00 * (count - count_p1)/count | where pct_increase > X

thanks again i will be suing this a lot!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide more information on your current outputs and expected output? (The title says stats and the question says timechart ) Also share you current queries.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...