Splunk Search

How to compare number of events during two specific time periods and display status according to result ?

cedmarjls32
New Member

I’d like to compare 1) the number of events received in the last 30 minutes with 2) the average number of events received in the last 30 calendar days (reduced to a 30 minutes span)

If the result of 1) exceeds by 50% the result of 2), I’d like to have something like “warning”, otherwise “normal”.

I’ve come up with the following search but it doesn’t seem to be working and I cannot figure out what is wrong with it (I’m pretty sure it’s right under my nose)

earliest=-30d@d index=index sourcetype=sourcetype | search host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | search host=host | stats count as last30minutes ] | eval status = if(last30minutes >= 1.5*average_reference, "Warning", "Normal")

Any help would be appreciated!

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You have too many | search; this works for me:

earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")

View solution in original post

woodcock
Esteemed Legend

You have too many | search; this works for me:

earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")

cedmarjls32
New Member

Thanks for your feedback!

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...