Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert to trigger based on a current value, and if that value increases over a threshold within a set time?

sbattista09
Contributor
‎07-29-2016 10:12 AM

I want to alert based off a current value and if that value increases over a threshold within a set time.

I want to alert if I have a count of 100 and if it grows to 200 within 30 minutes. The 100 count will grow no matter what, but I want to alert if it grows a lot within a set time so we can look into what is going on or why it is growing. This will be used for licences and sourcetype alerting.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-29-2016 10:27 AM

Try this for a 1d timeframe (feel free to adjust timeframes). Alert if count>0

... | timechart span=30m count | autogress count as pc | where count>=ps*2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-29-2016 10:27 AM

Try this for a 1d timeframe (feel free to adjust timeframes). Alert if count>0

... | timechart span=30m count | autogress count as pc | where count>=ps*2
0 Karma
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-29-2016 10:39 AM

unknown search command 'autogress'

0 Karma
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-29-2016 11:32 AM

This is what i have for license usage and i want to take the Volume number and check every hour if it grew more than a set number.

index=_internal source=*license_usage.log  earliest=-1d@d   | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | timechart span=30m sum(b) AS "volume"

the other issue is why would the data show up like this? is there something different with the index=_internal 

_time   volume
2016-07-28 00:00:00 110.855
2016-07-28 00:30:00 1.222
2016-07-28 01:00:00 1.207
2016-07-28 01:30:00 1.121
2016-07-28 02:00:00 1.223
2016-07-28 02:30:00 1.202
2016-07-28 03:00:00 1.198
2016-07-28 03:30:00 1.211
2016-07-28 04:00:00 1.502
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-04-2016 12:57 PM

The command is autoregress. Try this query

index=_internal source=*license_usage.log  earliest=-1d@d | eval b=round(b/1024/1024/1024, 3) | timechart span=30m sum(b) AS volume | autoregress volume as prev_vol | where volume>prev_vol*2

*OR*

index=_internal source=*license_usage.log  earliest=-1d@d | eval b=round(b/1024/1024/1024, 3) | timechart span=30m sum(b) AS volume | trendline sma2(volume) as trend | stats earliest(volume) as volume latest(trend) as trend | where volume<trend*2
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top