Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare two counts from a single stats search, and alert if there is a large difference between the results?

Xarian
Explorer
‎09-15-2016 04:10 PM

I have searched a lot and haven't found a straight answer to this, yet.

I want to create an alert on spikes of load for two hosts. To do this, I am comparing minutes. Ignoring the current minute, as its data is incomplete, I am comparing the previous minute with the one before that. If there is a large spike in the two results, I want to trigger an alert. Currently, I am struggling comparing the two values as they are just in a table. Is there a better way to approach this? Thank you.

This is what I have so far:

index=web host=*EXP0* earliest=@m-2m latest=@m | bucket _time span=1m | stats count by _time
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 04:33 PM

Try this

index=web host=*EXP0* earliest=@m-2m latest=@m | eval when=if(_time>relative_time(now(), "-1m@m"), "current", "previous") | eval dummy=" " | chart count over dummy by when | where current-previous>largenumber

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 04:33 PM

Try this

index=web host=*EXP0* earliest=@m-2m latest=@m | eval when=if(_time>relative_time(now(), "-1m@m"), "current", "previous") | eval dummy=" " | chart count over dummy by when | where current-previous>largenumber
Reply
Solved! Jump to solution

Xarian
Explorer
‎09-15-2016 06:30 PM

Hi Sundareshr, thanks for the response, that looks great!

Both of our searches provide the same total count, however, the total results per minute are different.
My search resulted in (14482+15418=92200) taking ~5secs
Yours resulted in (15240+14660=92200) taking ~15secs

Could the difference be due to each hosts varying interpretation of the 'now()' function, if the host system clocks weren't identical? As I'm alerting on anomalies per minute, I want to be vigilant that the results are falling into the correct minute.
Thanks so much for the help!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-15-2016 08:04 PM

You could also try this

index=web host=*EXP0* earliest=@m-2m latest=@m | bucket _time span=1m | stats count by _time | delta count | where isnotnull(count)
0 Karma
Reply
Solved! Jump to solution

Xarian
Explorer
‎09-18-2016 09:37 PM

Thanks for your help, This worked perfectly. Have a great week.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...