Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an alert if field value remains above a specific threshold?

cquinney
Communicator
‎03-11-2019 03:50 PM

Greetings

I'm looking to create an alert if a field value consecutively remains above a specific threshold, say 500. For example:

Time        Field-1
1310         583
1315         678
1320         300
1325         789

In this example, I would get an alert at 1315 but not at 1320 or 1325 as the value was not above 500 consecutively. Any help in resolving this is greatly appreciated.

0 Karma
Reply

nickhills
Ultra Champion
‎03-12-2019 04:34 AM

Hi @cquinney

Try this:

[your search] |dedup 2 sourcetype |where Field-1>500 |eventstats count|where count>1|table Time Field-1

This will look at the last two consecutive events, and only include them when the value is > 500.
Then eventstats counts how many records you have - more than 1 records, and you get a result

If my comment helps, please give it a thumbs up!
0 Karma
Reply

cquinney
Communicator
‎03-12-2019 07:15 AM

Hi Nickhillscpl,

Thank you for the query, it's not quite giving me the results I'm looking for. I've updated my query to the following:

| makeresults
| stats count by _time
| eval lock_count=case(count>500,"alert")
| search lock_count=alert
| bin _time span=5m
| streamstats count window=2 by lock_alert

Now trying to resolve, if I get two "alerts" in a 5 min time-frame I can generate an alert. Any suggestions?

0 Karma
Reply

cquinney
Communicator
‎03-12-2019 10:01 AM

I found an alternate solution by modifying my query to:

| makeresults
| timechart span=5min count
| eval hour=strftime(_time,"%H:%M")
| streamstats current=f window=2 last(count) as last_count
| table hour count last_count

Then I created an alert condition where count > 500 AND last_count > 500

0 Karma
Reply

zonistj
Path Finder
‎03-11-2019 04:48 PM

There are a few ways to go about this and the optimal solution depends on specifics of your data.

Do the events come in every five minutes or is that just an example?

0 Karma
Reply

cquinney
Communicator
‎03-12-2019 04:22 AM

The data currently comes in every 5 mins.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...