Splunk Search

## How to create an Alert for an increase in IIs requests compared to a previous date

Communicator

Hi,

I’m looking at creating Alert for an increase in IIs requests compared to a previous date based on a percentage.

just wondered if this was possible?

thanks,

joe

Labels (1)
• ### stats

1 Solution
SplunkTrust

At the very minimum, you can do something like

``````| where _time - relative_time(now(), "-4d@d") < 0 AND _time - relative_time(now(), "-5d@d") > 0 OR _time - relative_time(now(), "-0d@d") < 0 AND _time - relative_time(now(), "-1d@d") > 0
| bin _time span=1d
| stats count by _time
| delta count as delta
| where delta/(count - delta) > 0.3``````

Here, count in the previous day (between -0d@d  and -1d@d ) is compared with that in the -5th day, and return a stat if the delta is larger than 30%.  To calculate for events during the current day, replace _time - relative_time(now(), "-0d@d") < 0 AND _time - relative_time(now(), "-1d@d") > 0 with relative_time(now(), "-0d@d") > 0.

Tags (3)
SplunkTrust

At the very minimum, you can do something like

``````| where _time - relative_time(now(), "-4d@d") < 0 AND _time - relative_time(now(), "-5d@d") > 0 OR _time - relative_time(now(), "-0d@d") < 0 AND _time - relative_time(now(), "-1d@d") > 0
| bin _time span=1d
| stats count by _time
| delta count as delta
| where delta/(count - delta) > 0.3``````

Here, count in the previous day (between -0d@d  and -1d@d ) is compared with that in the -5th day, and return a stat if the delta is larger than 30%.  To calculate for events during the current day, replace _time - relative_time(now(), "-0d@d") < 0 AND _time - relative_time(now(), "-1d@d") > 0 with relative_time(now(), "-0d@d") > 0.

Tags (3)
Communicator

Thanks

Get Updates on the Splunk Community!

#### Take the 2021 Splunk Career Survey for \$50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

#### Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

#### Observability Newsletter Highlights | March 2023

March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...