Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare two counts from a single stats search, and alert if there is a large difference between the results?

Xarian
Explorer
‎09-15-2016 04:10 PM

I have searched a lot and haven't found a straight answer to this, yet.

I want to create an alert on spikes of load for two hosts. To do this, I am comparing minutes. Ignoring the current minute, as its data is incomplete, I am comparing the previous minute with the one before that. If there is a large spike in the two results, I want to trigger an alert. Currently, I am struggling comparing the two values as they are just in a table. Is there a better way to approach this? Thank you.

This is what I have so far:

index=web host=*EXP0* earliest=@m-2m latest=@m | bucket _time span=1m | stats count by _time
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 04:33 PM

Try this

index=web host=*EXP0* earliest=@m-2m latest=@m | eval when=if(_time>relative_time(now(), "-1m@m"), "current", "previous") | eval dummy=" " | chart count over dummy by when | where current-previous>largenumber

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 04:33 PM

Try this

index=web host=*EXP0* earliest=@m-2m latest=@m | eval when=if(_time>relative_time(now(), "-1m@m"), "current", "previous") | eval dummy=" " | chart count over dummy by when | where current-previous>largenumber
Reply
Solved! Jump to solution

Xarian
Explorer
‎09-15-2016 06:30 PM

Hi Sundareshr, thanks for the response, that looks great!

Both of our searches provide the same total count, however, the total results per minute are different.
My search resulted in (14482+15418=92200) taking ~5secs
Yours resulted in (15240+14660=92200) taking ~15secs

Could the difference be due to each hosts varying interpretation of the 'now()' function, if the host system clocks weren't identical? As I'm alerting on anomalies per minute, I want to be vigilant that the results are falling into the correct minute.
Thanks so much for the help!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-15-2016 08:04 PM

You could also try this

index=web host=*EXP0* earliest=@m-2m latest=@m | bucket _time span=1m | stats count by _time | delta count | where isnotnull(count)
0 Karma
Reply
Solved! Jump to solution

Xarian
Explorer
‎09-18-2016 09:37 PM

Thanks for your help, This worked perfectly. Have a great week.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...