Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set up an Alert when the count exceeds 100 in a week?

Rapidz
Explorer
‎01-05-2023 01:28 PM

I am setting up an alert to notify when a message is received more than a 100 times in a week. I figured it out for the total, but not within a week time range. Any help is appreciated.

 

 

 

'Bitgo webhook error' | stats count as Bitgo_Webhook_Errors | where Bitgo_Webhook_Errors >=100

 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 05:12 PM

It depends on how the search is used.  Either limit the search to a single week or break the results into one-week chunks.

Search a single week:

'Bitgo webhook error' earliest = -1w
| stats count as Bitgo_Webhook_Errors 
| where Bitgo_Webhook_Errors >=100

The exact placement of the earliest option depends on the definition of the macro - the option may have to go inside the macro.  Also, the relative time setting may need adjustment depending on whether you want to search the last 7 days or the previous Sun-Sat.

To break the results into chunks:

'Bitgo webhook error' 
| bin span=1w _time
| stats count as Bitgo_Webhook_Errors by _time
| where Bitgo_Webhook_Errors >=100

Again, the "1w" may have to change depending on your definition of a week.

---
If this reply helps you, Karma would be appreciated.
Reply

Rapidz
Explorer
‎01-10-2023 08:48 AM

@richgalloway 

When you say the placement of the of the earliest option may have to be moved, does it just have to move for the earliest command gets highlighted pink? The only way it gets highlighted pink is if it is formatted like this:

'Bitgo webhook error' 
| stats count as Bitgo_Webhook_Errors earliest = -1w
| where Bitgo_Webhook_Errors >=100

 

I want to make sure I am understanding you properly, for this search will trigger when necessary. 

Thanks for the help!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2023 08:51 AM

The earliest option is valid only with the search command.  That usually means it must be before the first pipe.  Note that the first pipe might be inside the macro.

---
If this reply helps you, Karma would be appreciated.
Reply

Rapidz
Explorer
‎01-10-2023 09:02 AM

@richgalloway 

Ok that makes sense, So in my case does this look right?

Screen Shot 2023-01-10 at 10.01.42 AM.png

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2023 10:44 AM

Maybe.  It depends on the definition of the macro.  Type CTRL-Shift-E in the SPL box to see the expanded macro.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...