Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a query to have count of time where time is greater than 20s hits of one field "Time " against total time hits "Time" ,to create alert .

guru865
Path Finder
‎03-01-2017 08:57 AM

here is a search i'm using for one alert.

sourcetype=xx  source="*yy"   method=*  timeDiff|    eval Time=ltrim(rtrim(timeDiff,"S"),"PT") | stats count(Time) as Total_Hits | search Time>20

The above search fulfills the alert request to get the total hits where time is greater than 20 s.

I would like to have the count of total hits on whole and greater than 20 s hits and would like to trigger the alert .

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-01-2017 09:15 AM

How about this. This alert query will return result (so you can alert when 'number of events greater than zero') when there are events with Time>20.

sourcetype=xx  source="*yy"   method=*  timeDiff
| eval Time=ltrim(rtrim(timeDiff,"S"),"PT") 
| stats count as Total_Hits count(eval(Time>20)) as AlertField
| where AlertField>0
| rename AlertField as "Hits_With_Time>20"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-01-2017 10:25 AM

Like this:

sourcetype=xx  source="*yy"   method=*  timeDiff |  eval Time=ltrim(rtrim(timeDiff,"S"),"PT")
| stats count(eval(Time>20)) AS Time20Plus | search Time20Plus>20
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-01-2017 09:15 AM

How about this. This alert query will return result (so you can alert when 'number of events greater than zero') when there are events with Time>20.

sourcetype=xx  source="*yy"   method=*  timeDiff
| eval Time=ltrim(rtrim(timeDiff,"S"),"PT") 
| stats count as Total_Hits count(eval(Time>20)) as AlertField
| where AlertField>0
| rename AlertField as "Hits_With_Time>20"
Reply
Solved! Jump to solution

guru865
Path Finder
‎03-01-2017 01:59 PM

Thanks alot somesoni2.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-01-2017 09:08 AM

At the very least, you need to test against the name of the field that you just created, because after the stats command, the field Time no longer exists.

 | stats count(Time) as Total_Hits | search Total_Hits>20

more likely, you want 

| stats count(eval(Time>20)) as Hits20 count as HitsTotal

Here's some test code you can play with -

|makeresults | eval Time="20 45 1 4 13 25 71 819 12" | makemv Time |mvexpand Time 
| stats count(eval(Time>20)) as Hits20 count as HitsTotal
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...