Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check if a value in a metric continues to grow?

llappall
Observer
‎08-02-2023 12:24 PM

I have a metric from AWS for the number of messages visible in a SQS queue, which gets computed every 5 minutes. 

2023-08-02 11:50:00    13.3
2023-08-02 11:55:00    0.0
2023-08-02 12:00:00    33.8
2023-08-02 12:05:00    0.0

This means that there were 13 messages in the queue, and 5 minutes later they were gone (processed). Then there were 33, then they were gone (processed)

If messages do not get processed, I'd expect this number to continue to grow and not decrease. 

I need to set up an alert when that happens. Is there some way to alert when a value grows, say, over 5 rows? 

Or, is there a way to compare a value to itself at different points in time? 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 02:28 PM

Basically, comparisons are done between fields in the same "event" - for your use case, this means you have to arrange for values from other events to be available in your event.

There are a number of ways to do this, and it depends on what you are looking to compare.

For example, you could find the change between two consecutive events

| streamstats window=2 current=f latest(sqs) as previous_sqs
| eval sqs_delta=sqs - previous_sqs

Or you could evaluate this as an increase or not, then count how many times it increased over the last 5 events

| streamstats window=2 current=f latest(sqs) as previous_sqs
| eval increase = if (previous_sqs < sqs, 1, 0)
| streamstats window=5 sum(increase) as rolling_increase

Then you could set your alert based on the value of rolling_increase.

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...