Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to alert on a value crossing over a moving average of that value?

responsys_cm
Builder
‎11-02-2012 12:38 PM

Is there any way to do this in a single search? I know it can be done by having one search compute the moving average of the field and then write that to a lookup table. A subsequent search would then compute the value for the time period and see if it is above the value in the lookup table.

Is there any way to do it with a single search that doesn't require a lookup table?

Thx.

Craig

Tags (2)
0 Karma
Reply

mhamano
Explorer
‎03-09-2016 02:11 PM

I'm trying to run a similar search looking at decline rates for a payment gateway. I want to look at the current decline rate average trend line and also the running average trendline.

tried doing something similar but ended up getting Mismatched ']' when I ran my query.

gateway=firstdata errorType=declined event=transaction Completed earliest=-1h@h latest=@h | bucket _time span=1h | stats count as hourlyCount by _time | appendcols { search searchforerrors earliest=-7d@d latest=-1h@h | bucket _time span=1h | stats count by _time | stats avg(count) as average ] |where hourlyCount > average

Any idea why?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-04-2012 09:55 PM

actually trendline or the streamstats commands will let you do this fairly easily, but really it's hard to say what works for you unless we know how you are averaging your data.

Reply

lguinn2
Legend
‎11-03-2012 12:53 AM

Let me make this more specific, so that i can show an example. Every hour, I want to compare the number of errors from the past hour with the average number of errors for the past week. If the hourly count > the average count, then trigger an alert.

This search will do

searchforerrors earliest=-1h@h latest=@h
| bucket _time span=1h
| stats count as hourlyCount by _time
| appendcols { search  searchforerrors earliest=-7d@d latest=-1h@h
      | bucket _time span=1h
      | stats count by _time
      | stats avg(count) as average ]
| where hourlyCount > average

Schedule this search to run once each hour and to trigger if the number of results is greater than zero.

Reply

mhamano
Explorer
‎03-09-2016 02:11 PM

I'm trying to run a similar search looking at decline rates for a payment gateway. I want to look at the current decline rate average trend line and also the running average trendline.

tried doing something similar but ended up getting Mismatched ']' when I ran my query.

gateway=firstdata errorType=declined event=transaction Completed earliest=-1h@h latest=@h | bucket _time span=1h | stats count as hourlyCount by _time | appendcols { search searchforerrors earliest=-7d@d latest=-1h@h | bucket _time span=1h | stats count by _time | stats avg(count) as average ] |where hourlyCount > average

Any idea why?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...