Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract "seconds" and "documents" fields from each event, chart the average of seconds/document, and alert if the average is greater than 1?

MikeBertelsen
Communicator
‎06-15-2015 07:19 AM

Trying to get an alert from Splunk when an average for a specified time and number of documents > 1.
Example taken for this event:
TIME TAKEN : 2.59 second(s) , NO OF DOCS : 3

2.59/3 =.86333 seconds per document

We want to track if the value is 1 second per document.
Once we have that, if the trend is that this value continues to climb over, we want another alert to warn us of a potential memory leak.

Any help appreciated.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-15-2015 07:25 AM

Try this:

| rex "TIME TAKEN : (?<seconds>\S+).*NO OF DOCS : (?<documents>\d+)" | eval docsPerSecond = documents/seconds | where docsPerSecond > 1 | timechart span=1h avg(docsPerSecond)
0 Karma
Reply

chimell
Motivator
‎06-16-2015 02:49 AM

Hi MikeBertelsen
Run the query that Woodcock gave you . Save it as alert by filling the important field

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...