- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to alert on a value crossing over a moving ave...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to alert on a value crossing over a moving average of that value?
Is there any way to do this in a single search? I know it can be done by having one search compute the moving average of the field and then write that to a lookup table. A subsequent search would then compute the value for the time period and see if it is above the value in the lookup table.
Is there any way to do it with a single search that doesn't require a lookup table?
Thx.
Craig
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to run a similar search looking at decline rates for a payment gateway. I want to look at the current decline rate average trend line and also the running average trendline.
tried doing something similar but ended up getting Mismatched ']' when I ran my query.
gateway=firstdata errorType=declined event=transaction Completed earliest=-1h@h latest=@h | bucket _time span=1h | stats count as hourlyCount by _time | appendcols { search searchforerrors earliest=-7d@d latest=-1h@h | bucket _time span=1h | stats count by _time | stats avg(count) as average ] |where hourlyCount > average
Any idea why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actually trendline or the streamstats commands will let you do this fairly easily, but really it's hard to say what works for you unless we know how you are averaging your data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me make this more specific, so that i can show an example. Every hour, I want to compare the number of errors from the past hour with the average number of errors for the past week. If the hourly count > the average count, then trigger an alert.
This search will do
searchforerrors earliest=-1h@h latest=@h
| bucket _time span=1h
| stats count as hourlyCount by _time
| appendcols { search searchforerrors earliest=-7d@d latest=-1h@h
| bucket _time span=1h
| stats count by _time
| stats avg(count) as average ]
| where hourlyCount > average
Schedule this search to run once each hour and to trigger if the number of results is greater than zero.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to run a similar search looking at decline rates for a payment gateway. I want to look at the current decline rate average trend line and also the running average trendline.
tried doing something similar but ended up getting Mismatched ']' when I ran my query.
gateway=firstdata errorType=declined event=transaction Completed earliest=-1h@h latest=@h | bucket _time span=1h | stats count as hourlyCount by _time | appendcols { search searchforerrors earliest=-7d@d latest=-1h@h | bucket _time span=1h | stats count by _time | stats avg(count) as average ] |where hourlyCount > average
Any idea why?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
