Re: How to create an alert if field value remains ...

cquinney · ‎03-11-2019

Greetings

I'm looking to create an alert if a field value consecutively remains above a specific threshold, say 500. For example:

Time        Field-1
1310         583
1315         678
1320         300
1325         789

In this example, I would get an alert at 1315 but not at 1320 or 1325 as the value was not above 500 consecutively. Any help in resolving this is greatly appreciated.

nickhills · ‎03-12-2019

Hi @cquinney

Try this:

[your search] |dedup 2 sourcetype |where Field-1>500 |eventstats count|where count>1|table Time Field-1

This will look at the last two consecutive events, and only include them when the value is > 500.
Then eventstats counts how many records you have - more than 1 records, and you get a result

If my comment helps, please give it a thumbs up!

cquinney · ‎03-12-2019

Hi Nickhillscpl,

Thank you for the query, it's not quite giving me the results I'm looking for. I've updated my query to the following:

Now trying to resolve, if I get two "alerts" in a 5 min time-frame I can generate an alert. Any suggestions?

cquinney · ‎03-12-2019

I found an alternate solution by modifying my query to:

Then I created an alert condition where count > 500 AND last_count > 500

zonistj · ‎03-11-2019

There are a few ways to go about this and the optimal solution depends on specifics of your data.

Do the events come in every five minutes or is that just an example?

cquinney · ‎03-12-2019

The data currently comes in every 5 mins.

How to create an alert if field value remains above a specific threshold?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk