Splunk Search

How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

vallurupallic
Engager

The following splunk search is what I'm using to construct the dynamic threshold of a alert I want to create:

sourcetype=my_sourceearliest=-28d 
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5) 
| bucket _time span=1d
| stats count by _time 
| stats avg(count) as dynThreshold | eval dynThreshold=(1.3*dynThreshold)

Now I want to create a alert where the result count is greater than the dynThreshold value constructed above. can someone help with this please.

0 Karma
1 Solution

adonio
Ultra Champion

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

View solution in original post

adonio
Ultra Champion

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

vallurupallic
Engager

im trying to substitute the use of random value above with the search query result set. But im not able to find any results. I tried the search query just after gentimes as gentimes need to be the first command. can you help please

0 Karma

adonio
Ultra Champion

the | gentimes is an example
use your search

sourcetype=my_sourceearliest=-28d
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H")
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5)
| bucket _time span=1d
| stats count as tot_count by _time
| eventstats avg(tot_count) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(tot_count > dynZThreshold,1,0)

0 Karma

vallurupallic
Engager

That worked. Thank you.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...