Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create an alert to trigger based on a c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to alert based off a current value and if that value increases over a threshold within a set time.
I want to alert if I have a count of 100 and if it grows to 200 within 30 minutes. The 100 count will grow no matter what, but I want to alert if it grows a lot within a set time so we can look into what is going on or why it is growing. This will be used for licences and sourcetype alerting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for a 1d timeframe (feel free to adjust timeframes). Alert if count>0
... | timechart span=30m count | autogress count as pc | where count>=ps*2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for a 1d timeframe (feel free to adjust timeframes). Alert if count>0
... | timechart span=30m count | autogress count as pc | where count>=ps*2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unknown search command 'autogress'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what i have for license usage and i want to take the Volume number and check every hour if it grew more than a set number.
index=_internal source=*license_usage.log earliest=-1d@d | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | timechart span=30m sum(b) AS "volume"
the other issue is why would the data show up like this? is there something different with the index=_internal
_time volume
2016-07-28 00:00:00 110.855
2016-07-28 00:30:00 1.222
2016-07-28 01:00:00 1.207
2016-07-28 01:30:00 1.121
2016-07-28 02:00:00 1.223
2016-07-28 02:30:00 1.202
2016-07-28 03:00:00 1.198
2016-07-28 03:30:00 1.211
2016-07-28 04:00:00 1.502
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The command is autoregress. Try this query
index=_internal source=*license_usage.log earliest=-1d@d | eval b=round(b/1024/1024/1024, 3) | timechart span=30m sum(b) AS volume | autoregress volume as prev_vol | where volume>prev_vol*2
*OR*
index=_internal source=*license_usage.log earliest=-1d@d | eval b=round(b/1024/1024/1024, 3) | timechart span=30m sum(b) AS volume | trendline sma2(volume) as trend | stats earliest(volume) as volume latest(trend) as trend | where volume<trend*2
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
