Splunk Search

How to check if a value in a metric continues to grow?


I have a metric from AWS for the number of messages visible in a SQS queue, which gets computed every 5 minutes. 

2023-08-02 11:50:00    13.3
2023-08-02 11:55:00    0.0
2023-08-02 12:00:00    33.8
2023-08-02 12:05:00    0.0

This means that there were 13 messages in the queue, and 5 minutes later they were gone (processed). Then there were 33, then they were gone (processed)

If messages do not get processed, I'd expect this number to continue to grow and not decrease. 

I need to set up an alert when that happens. Is there some way to alert when a value grows, say, over 5 rows? 

Or, is there a way to compare a value to itself at different points in time? 


Labels (2)
Tags (1)
0 Karma


Basically, comparisons are done between fields in the same "event" - for your use case, this means you have to arrange for values from other events to be available in your event.

There are a number of ways to do this, and it depends on what you are looking to compare.

For example, you could find the change between two consecutive events

| streamstats window=2 current=f latest(sqs) as previous_sqs
| eval sqs_delta=sqs - previous_sqs

Or you could evaluate this as an increase or not, then count how many times it increased over the last 5 events

| streamstats window=2 current=f latest(sqs) as previous_sqs
| eval increase = if (previous_sqs < sqs, 1, 0)
| streamstats window=5 sum(increase) as rolling_increase

Then you could set your alert based on the value of rolling_increase.

Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...