Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a search to alert if there is a growing number of a particular type of event?

Gayathirik
Path Finder
‎08-07-2016 11:20 PM

How to detect if there is a growing number of a particular type of event? It could indicate “flapping” on the Exchange server. I was thinking that a trendline could be made and then if the trend is going up in events day by day, this could detect it. If the number of events is twice the day before or the last few days, then an alert (email) can be sent out. Let me know if that makes sense.

Please provide me with a search that deals with the above requirement.

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll"|
0 Karma
Reply

sundareshr
Legend
‎08-08-2016 06:21 AM

Try this

**** UPDATED**** 

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" earliest=-1d@d | timechart span=1h count | eval day=strftime(_time, "%d") | evenstats avg(count) as hr_avg stdev(count) as hr_stdev by day | table _time count hr_avg hr_stdev | eval alert=if(count>=hr_stdev*2, "Y", "N")
0 Karma
Reply

Gayathirik
Path Finder
‎08-08-2016 06:33 AM

This query is errored out:

Error in "eventstats" command.The argument "stddev(count)" is invalid.

0 Karma
Reply

sjohnson_splunk
Splunk Employee
Splunk Employee
‎08-08-2016 08:49 AM

it's stdev(count) not stddev.

Reply

Gayathirik
Path Finder
‎08-09-2016 12:11 AM

"stdev" is giving 0.0000 value for all the days. the above search query is not providing the expected result.

the count should be the last 7 days but not the current day
it should be considered a "spike" if the count for one day is 2x the average

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...