Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to chart the number of occurrences including its respective threshold for each host and each eventtype?

zapping575
Path Finder
‎05-02-2022 10:39 AM

Hi everybody,

I have the following problem and cannot seem to be able to wrap my head around it:

  1. I have a bunch of eventtypes (close to 1000).
  2. Some of those eventtypes have certain thresholds which are greater than zero. I look the values up from a csv
  3. For a single host, I'd like to
    1. Chart the number of occurrances for an eventtype IF
      1. That number of occurrances is higher than the aforementioned threshold
      2. The chart shall also contain a static line depicting the threshold value

Here is what I have so far. I believe I am always getting lost when using an aggregate function such as count() because added something to the result using eval just wont work.

 

 

index="my_index" eventtype=* host="$HOST_FROM_DROPDOWN$"  
| lookup my-events eventtype 
| eventstats count by eventtype 
| where alert_threshold > 0 AND count > alert_threshold
| stats count by eventtype 
| eval Threshold = alert_threshold

 

 What I do understand is that I have to add the "Threshold" variable in the overlay Options of the chart.

Any help is much appreciated. Thank you

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2022 01:13 AM 
| stats count values(alert_threshold) as alert_threshold by eventtype

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2022 01:13 AM 
| stats count values(alert_threshold) as alert_threshold by eventtype
Reply
Solved! Jump to solution

zapping575
Path Finder
‎05-03-2022 02:56 AM

Thank you very much. I got it working as expected like this:

index="my_index" eventtype=* host="dropdown_value..."  
| lookup my_lookup eventtype 
| stats count values(alert_threshold) as alert_threshold by eventtype 
| where alert_threshold > 0 AND count > alert_threshold
| sort count desc

 

Now the only thing left is that the threshold value is drawn as a dot in the chart. I'd like it to be a line going across the entire bar. Is that possible?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2022 03:14 AM

You will get a dot if there is only 1 point on the line e.g. only one event type breaches the threshold

0 Karma
Reply
Solved! Jump to solution

zapping575
Path Finder
‎05-03-2022 07:23 AM

Acknowledged. thanks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...