Include results of another search in the body of a...

jtsplunk · ‎04-04-2016

I have an alert that fires when the hourly count is 50% greater hour over hour, this seems to be working fine:

index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=@h | stats count as LastHour | appendcols [search index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | stats count as CurrHour] | where CurrHour>1.5*LastHour

This reports the LastHour and CurrHour values, which I would like. In addition to this I would also like the report to include something like the results from this search when the alert fires:

index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | chart count over errorCode

I'm not sure how to combine these to include both of these in the report output.

somesoni2 · ‎04-04-2016

Try this as your alert search

index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=now 
| eval period=if(_time>=relative_time(now(),"@h"),"CurrHour","LastHour") | chart count over errorCode by period | eventstats sum(CurrHour) as totCurrHour sum(LastHour) as totLastHour | where totCurrHour>1.5*totLastHour

Include results of another search in the body of an alert?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms