Re: How to create an alert to trigger if the value...

manja054 · ‎07-20-2015

Saved search:

 sourcetype=*    | timechart last(Cnt) as CurrentQueueLength span=5m | Where CurrentQueueLength>0 | table CurrentQueueLength | outputcsv ABC

CSV:
CurrentQueueLength
15

If the value increases by 5 (Value to be taken from CSV file), I need to trigger an alert ( cond=CurrentQueueLength+5).

woodcock · ‎07-20-2015

I don't get your search: it could return more than 1 value or no values! You should probably do something like this:

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | outputcsv ABC

Then schedule the following search as an alert that triggers when "# events > 0" and runs 1 minute before the first one runs (just before the value is overwritten):

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | append [|inputcsv ABC | rename CurrentQueueLength AS PrevQueueLength] | eval delta = CurrentQueueLength - PrevQueueLength | where delta > 5

Also, you might consider using avg but definitely don't use last because it does the opposite of what you think it does (earliest value), which is why I switched it to latest.

How to create an alert to trigger if the value stored in a CSV file increases by 5?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)