Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a query to have count of time where time is greater than 20s hits of one field "Time " against total time hits "Time" ,to create alert .

guru865
Path Finder
‎03-01-2017 08:57 AM

here is a search i'm using for one alert.

sourcetype=xx  source="*yy"   method=*  timeDiff|    eval Time=ltrim(rtrim(timeDiff,"S"),"PT") | stats count(Time) as Total_Hits | search Time>20

The above search fulfills the alert request to get the total hits where time is greater than 20 s.

I would like to have the count of total hits on whole and greater than 20 s hits and would like to trigger the alert .

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-01-2017 09:15 AM

How about this. This alert query will return result (so you can alert when 'number of events greater than zero') when there are events with Time>20.

sourcetype=xx  source="*yy"   method=*  timeDiff
| eval Time=ltrim(rtrim(timeDiff,"S"),"PT") 
| stats count as Total_Hits count(eval(Time>20)) as AlertField
| where AlertField>0
| rename AlertField as "Hits_With_Time>20"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-01-2017 10:25 AM

Like this:

sourcetype=xx  source="*yy"   method=*  timeDiff |  eval Time=ltrim(rtrim(timeDiff,"S"),"PT")
| stats count(eval(Time>20)) AS Time20Plus | search Time20Plus>20
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-01-2017 09:15 AM

How about this. This alert query will return result (so you can alert when 'number of events greater than zero') when there are events with Time>20.

sourcetype=xx  source="*yy"   method=*  timeDiff
| eval Time=ltrim(rtrim(timeDiff,"S"),"PT") 
| stats count as Total_Hits count(eval(Time>20)) as AlertField
| where AlertField>0
| rename AlertField as "Hits_With_Time>20"
Reply
Solved! Jump to solution

guru865
Path Finder
‎03-01-2017 01:59 PM

Thanks alot somesoni2.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-01-2017 09:08 AM

At the very least, you need to test against the name of the field that you just created, because after the stats command, the field Time no longer exists.

 | stats count(Time) as Total_Hits | search Total_Hits>20

more likely, you want 

| stats count(eval(Time>20)) as Hits20 count as HitsTotal

Here's some test code you can play with -

|makeresults | eval Time="20 45 1 4 13 25 71 819 12" | makemv Time |mvexpand Time 
| stats count(eval(Time>20)) as Hits20 count as HitsTotal
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...