- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare number of events during two specifi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’d like to compare 1) the number of events received in the last 30 minutes with 2) the average number of events received in the last 30 calendar days (reduced to a 30 minutes span)
If the result of 1) exceeds by 50% the result of 2), I’d like to have something like “warning”, otherwise “normal”.
I’ve come up with the following search but it doesn’t seem to be working and I cannot figure out what is wrong with it (I’m pretty sure it’s right under my nose)
earliest=-30d@d index=index sourcetype=sourcetype | search host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | search host=host | stats count as last30minutes ] | eval status = if(last30minutes >= 1.5*average_reference, "Warning", "Normal")
Any help would be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have too many | search; this works for me:
earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have too many | search; this works for me:
earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your feedback!
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
