Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to apply alert based on search in Splunk?

Splunkstart
Explorer
‎11-15-2022 06:39 PM

Hi All,


these are the logger info counts which are generated in splunk 

Total numner where inds-a 20
Total numner where inds-b 30
Total numner where inds-c 40
Total numner where inds-d 50

 

i need to create a alert based on inds-c percentage


if inds-c is greater than 10% it should create a alert

below is the search query i am trying but it has some issue with the rex part ,any suggestions


index=abc log_severity=INFO OR WARN appname=doc
country=ind earlies=@d
|rex "Total Number where inds-c (?<counts>\d+)"
|rex "Total Number where inds-* (?<Allcounts>\d+)"
eval percentage=((counts/Allcounts)*100)
where percentage>=10

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-15-2022 11:29 PM

Hi @Splunkstart,

at first the main search is wrong and the approach isn't correct becuase you need to summ the values before executing the percentage, so please try something like this:

index=abc (log_severity=INFO OR log_severity=WARN)appname=doc country=ind earlies=@d
| rex "Total Number where inds-c (?<counts_c>\d+)"
| rex "Total Number where inds-* (?<Allcounts>\d+)"
| stats values(counts_c) AS counts_c sum(Allcounts) AS Allcounts 
| eval percentage=((counts_c/Allcounts)*100)
| where percentage>=10

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2022 11:30 PM

* in regex means zero or more repetitions of the previous item so your expression is looking for inds-, or inds-- etc. Use . for any character.

|rex "Total Number where inds-. (?<Allcounts>\d+)"
Reply
Solved! Jump to solution

Splunkstart
Explorer
‎11-16-2022 07:46 AM

this was helpful 

thankyou

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-15-2022 11:29 PM

Hi @Splunkstart,

at first the main search is wrong and the approach isn't correct becuase you need to summ the values before executing the percentage, so please try something like this:

index=abc (log_severity=INFO OR log_severity=WARN)appname=doc country=ind earlies=@d
| rex "Total Number where inds-c (?<counts_c>\d+)"
| rex "Total Number where inds-* (?<Allcounts>\d+)"
| stats values(counts_c) AS counts_c sum(Allcounts) AS Allcounts 
| eval percentage=((counts_c/Allcounts)*100)
| where percentage>=10

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Splunkstart
Explorer
‎11-16-2022 06:25 AM

sorry my requirement is 

Total number where inds I

Total numner where inds Z etc

when i  gave below rex  for all counts(removed * and gave . )

| rex total number where ind is . (?<Allcounts>\d+)

it worked

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...