Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

vallurupallic
Engager
‎07-15-2019 01:44 PM

The following splunk search is what I'm using to construct the dynamic threshold of a alert I want to create:

sourcetype=my_sourceearliest=-28d 
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5) 
| bucket _time span=1d
| stats count by _time 
| stats avg(count) as dynThreshold | eval dynThreshold=(1.3*dynThreshold)

Now I want to create a alert where the result count is greater than the dynThreshold value constructed above. can someone help with this please.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-15-2019 05:11 PM

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-15-2019 05:11 PM

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

Reply
Solved! Jump to solution

vallurupallic
Engager
‎07-16-2019 07:44 AM

im trying to substitute the use of random value above with the search query result set. But im not able to find any results. I tried the search query just after gentimes as gentimes need to be the first command. can you help please

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-16-2019 07:48 AM

the | gentimes is an example
use your search

sourcetype=my_sourceearliest=-28d
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H")
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5)
| bucket _time span=1d
| stats count as tot_count by _time
| eventstats avg(tot_count) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(tot_count > dynZThreshold,1,0)

0 Karma
Reply
Solved! Jump to solution

vallurupallic
Engager
‎07-16-2019 08:06 AM

That worked. Thank you.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...