Splunk Search
Highlighted

How to create an alert if field value remains above a specific threshold?

Path Finder

Greetings

I'm looking to create an alert if a field value consecutively remains above a specific threshold, say 500. For example:

Time        Field-1
1310         583
1315         678
1320         300
1325         789

In this example, I would get an alert at 1315 but not at 1320 or 1325 as the value was not above 500 consecutively. Any help in resolving this is greatly appreciated.

0 Karma
Highlighted

Re: How to create an alert if field value remains above a specific threshold?

Path Finder

There are a few ways to go about this and the optimal solution depends on specifics of your data.

Do the events come in every five minutes or is that just an example?

0 Karma
Highlighted

Re: How to create an alert if field value remains above a specific threshold?

Path Finder

The data currently comes in every 5 mins.

0 Karma
Highlighted

Re: How to create an alert if field value remains above a specific threshold?

Ultra Champion

Hi @cquinney

Try this:

[your search] |dedup 2 sourcetype |where Field-1>500 |eventstats count|where count>1|table Time Field-1

This will look at the last two consecutive events, and only include them when the value is > 500.
Then eventstats counts how many records you have - more than 1 records, and you get a result

0 Karma
Highlighted

Re: How to create an alert if field value remains above a specific threshold?

Path Finder

Hi Nickhillscpl,

Thank you for the query, it's not quite giving me the results I'm looking for. I've updated my query to the following:

| makeresults
| stats count by time
| eval lock
count=case(count>500,"alert")
| search lockcount=alert
| bin _time span=5m
| streamstats count window=2 by lock
alert

Now trying to resolve, if I get two "alerts" in a 5 min time-frame I can generate an alert. Any suggestions?

0 Karma
Highlighted

Re: How to create an alert if field value remains above a specific threshold?

Path Finder

I found an alternate solution by modifying my query to:

| makeresults
| timechart span=5min count
| eval hour=strftime(time,"%H:%M")
| streamstats current=f window=2 last(count) as last
count
| table hour count last_count

Then I created an alert condition where count > 500 AND last_count > 500

0 Karma