Splunk Search

How to create an alert to trigger if the value stored in a CSV file increases by 5?


Saved search:

 sourcetype=*    | timechart last(Cnt) as CurrentQueueLength span=5m | Where CurrentQueueLength>0 | table CurrentQueueLength | outputcsv ABC 


If the value increases by 5 (Value to be taken from CSV file), I need to trigger an alert ( cond=CurrentQueueLength+5).

0 Karma

Esteemed Legend

I don't get your search: it could return more than 1 value or no values! You should probably do something like this:

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | outputcsv ABC

Then schedule the following search as an alert that triggers when "# events > 0" and runs 1 minute before the first one runs (just before the value is overwritten):

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | append [|inputcsv ABC | rename CurrentQueueLength AS PrevQueueLength] | eval delta = CurrentQueueLength - PrevQueueLength | where delta > 5

Also, you might consider using avg but definitely don't use last because it does the opposite of what you think it does (earliest value), which is why I switched it to latest.

0 Karma