Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search with appendcols to alert on ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search with appendcols to alert on a 99% drop in logging from an app_pool?
daniel333
Builder
06-29-2016
11:47 AM
alt text
I want an alert if an application pool drops more than 99% of logging. (We have an issue where before a JVM crashes, its logs start to really slow down, and they often blame Splunk) .
So I thought, okay. Get a count of the last 15 minutes. Then get a count of the previous 15 minutes by App_pool. However, the numbers I am getting don't match up to a timechart.
tag=java |
stats count as "Current" by app_pool |
appendcols [search tag=java earliest=-30m@m latest=-15m@m|
stats count as "Previous" by app_pool ] |
eval myratio=Current/Previous |
eval prcIncrease=myratio*100 |
table app_pool, Current, Previous, myratio, prcIncrease |
where prcIncrease < 1
My results:
app_pool Current Previous myratio prcIncrease
stc 5352 3874403 0.001381 0.1381
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-07-2016
11:09 AM
Try running this for "Last 30 minutes"
tag=java
| timechart span=15m count BY app_pool
| untable _time app_pool Current
| streamstats current=f last(Current) AS Previous BY host
| eval myratio=Current/Previous
| eval prcIncrease=myratio*100
| where prcIncrease < 1
This will actually work for time span.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-29-2016
07:01 PM
try changing the order of the searches
tag=java earliest=-30m@m latest=-15m@m|stats count as "Previous" by app_pool |appendcols [tag=java earliest=-15m| stats count as "Current" by app_pool ]
| eval myratio=Current/Previous | eval prcIncrease=myratio*100 |table app_pool, Current, Previous, myratio, prcIncrease |where prcIncrease < 1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
What's New in Splunk Observability - October 2025
What’s New? We’re excited to announce the latest enhancements to Splunk Observability Cloud and share what’s ...
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...
