Solved: Re: How to alert based off the last reported numbe...

sbattista09 · ‎08-01-2016

How to alert based off the last reported number in a time chart. I want to alert based on a comparison of the last two numbers where if it that value grew more than x%, I want it to alert.

woodcock · ‎08-01-2016

add this:

 | tail 2 | reverse | autoregress count | eval pct_increase=100 * (count - count_p1)/count | where pct_increase > X

View solution in original post

woodcock · ‎08-01-2016

add this:

 | tail 2 | reverse | autoregress count | eval pct_increase=100 * (count - count_p1)/count | where pct_increase > X

sbattista09 · ‎08-12-2016

so this is great however the pct_increase (i renamed it to pct_diff) is not putting a decimal so for instance
count count_p1 pct_diff
18.32 10.25 807
pct_diff should be 8.07

i fixed it by adding a decimal
| eval pct_increase=1.00 * (count - count_p1)/count | where pct_increase > X

thanks again i will be suing this a lot!

somesoni2 · ‎08-01-2016

Could you provide more information on your current outputs and expected output? (The title says stats and the question says timechart ) Also share you current queries.

How to alert based off the last reported number in a stats count

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases