Splunk Search

How to compare number of events during two specific time periods and display status according to result ?

cedmarjls32
New Member

I’d like to compare 1) the number of events received in the last 30 minutes with 2) the average number of events received in the last 30 calendar days (reduced to a 30 minutes span)

If the result of 1) exceeds by 50% the result of 2), I’d like to have something like “warning”, otherwise “normal”.

I’ve come up with the following search but it doesn’t seem to be working and I cannot figure out what is wrong with it (I’m pretty sure it’s right under my nose)

earliest=-30d@d index=index sourcetype=sourcetype | search host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | search host=host | stats count as last30minutes ] | eval status = if(last30minutes >= 1.5*average_reference, "Warning", "Normal")

Any help would be appreciated!

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You have too many | search; this works for me:

earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")

View solution in original post

woodcock
Esteemed Legend

You have too many | search; this works for me:

earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")

cedmarjls32
New Member

Thanks for your feedback!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...