Splunk Search

How to create an alert if field value remains above a specific threshold?

cquinney
Communicator

Greetings

I'm looking to create an alert if a field value consecutively remains above a specific threshold, say 500. For example:

Time        Field-1
1310         583
1315         678
1320         300
1325         789

In this example, I would get an alert at 1315 but not at 1320 or 1325 as the value was not above 500 consecutively. Any help in resolving this is greatly appreciated.

0 Karma

nickhills
Ultra Champion

Hi @cquinney

Try this:

[your search] |dedup 2 sourcetype |where Field-1>500 |eventstats count|where count>1|table Time Field-1

This will look at the last two consecutive events, and only include them when the value is > 500.
Then eventstats counts how many records you have - more than 1 records, and you get a result

If my comment helps, please give it a thumbs up!
0 Karma

cquinney
Communicator

Hi Nickhillscpl,

Thank you for the query, it's not quite giving me the results I'm looking for. I've updated my query to the following:

| makeresults
| stats count by _time
| eval lock_count=case(count>500,"alert")
| search lock_count=alert
| bin _time span=5m
| streamstats count window=2 by lock_alert

Now trying to resolve, if I get two "alerts" in a 5 min time-frame I can generate an alert. Any suggestions?

0 Karma

cquinney
Communicator

I found an alternate solution by modifying my query to:

| makeresults
| timechart span=5min count
| eval hour=strftime(_time,"%H:%M")
| streamstats current=f window=2 last(count) as last_count
| table hour count last_count

Then I created an alert condition where count > 500 AND last_count > 500

0 Karma

zonistj
Path Finder

There are a few ways to go about this and the optimal solution depends on specifics of your data.

Do the events come in every five minutes or is that just an example?

0 Karma

cquinney
Communicator

The data currently comes in every 5 mins.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...