Splunk Search

How to create an alert to trigger if the value stored in a CSV file increases by 5?


Saved search:

 sourcetype=*    | timechart last(Cnt) as CurrentQueueLength span=5m | Where CurrentQueueLength>0 | table CurrentQueueLength | outputcsv ABC 


If the value increases by 5 (Value to be taken from CSV file), I need to trigger an alert ( cond=CurrentQueueLength+5).

0 Karma

Esteemed Legend

I don't get your search: it could return more than 1 value or no values! You should probably do something like this:

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | outputcsv ABC

Then schedule the following search as an alert that triggers when "# events > 0" and runs 1 minute before the first one runs (just before the value is overwritten):

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | append [|inputcsv ABC | rename CurrentQueueLength AS PrevQueueLength] | eval delta = CurrentQueueLength - PrevQueueLength | where delta > 5

Also, you might consider using avg but definitely don't use last because it does the opposite of what you think it does (earliest value), which is why I switched it to latest.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!