Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search with appendcols to alert on ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search with appendcols to alert on a 99% drop in logging from an app_pool?
daniel333
Builder
06-29-2016
11:47 AM
alt text
I want an alert if an application pool drops more than 99% of logging. (We have an issue where before a JVM crashes, its logs start to really slow down, and they often blame Splunk) .
So I thought, okay. Get a count of the last 15 minutes. Then get a count of the previous 15 minutes by App_pool. However, the numbers I am getting don't match up to a timechart.
tag=java |
stats count as "Current" by app_pool |
appendcols [search tag=java earliest=-30m@m latest=-15m@m|
stats count as "Previous" by app_pool ] |
eval myratio=Current/Previous |
eval prcIncrease=myratio*100 |
table app_pool, Current, Previous, myratio, prcIncrease |
where prcIncrease < 1
My results:
app_pool Current Previous myratio prcIncrease
stc 5352 3874403 0.001381 0.1381
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-07-2016
11:09 AM
Try running this for "Last 30 minutes"
tag=java
| timechart span=15m count BY app_pool
| untable _time app_pool Current
| streamstats current=f last(Current) AS Previous BY host
| eval myratio=Current/Previous
| eval prcIncrease=myratio*100
| where prcIncrease < 1
This will actually work for time span.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-29-2016
07:01 PM
try changing the order of the searches
tag=java earliest=-30m@m latest=-15m@m|stats count as "Previous" by app_pool |appendcols [tag=java earliest=-15m| stats count as "Current" by app_pool ]
| eval myratio=Current/Previous | eval prcIncrease=myratio*100 |table app_pool, Current, Previous, myratio, prcIncrease |where prcIncrease < 1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Ready to master Kubernetes and cloud monitoring like the pros?
Join Splunk’s Growth Engineering team for an ...
Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know
To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...
October Community Champions: A Shoutout to Our Contributors!
As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...
