Log Volume Monitoring

dwibedi03 · ‎12-28-2020

Hi Splunkers,

Happy Holidays!!!.

I am trying to create a dashboard on Log Volume Monitoring. I am using ML Toolkit and need help with my search.

| tstats count WHERE index=index_name BY index _time span=1h
| eval date=strftime(_time,"%m/%d/%Y")
| lookup Paid_Holidays.csv holiday_date as date OUTPUT is_holiday
| eval day_of_week = strftime(_time,"%A")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday")
| where NOT is_holiday=1
| `forecastviz(245, 240, "count", 93)`
| eval isOutlier = if(prediction!="" AND 'count' != "" AND ('count' < 'lower95(prediction)' OR 'count' > 'upper95(prediction)'), 1, 0)
| where isOutlier=1
| eval today = relative_time(now(),"-1h@h")
| where isOutlier=1 AND _time >= today
| where count < 'lower95(prediction)'
| fields - isOutlier

The highlighted and underlined part is where I am having issue. I need to alert only when the count is less than the predicted in the next hour as well. The current scenario alerts frequently and I need to constrict it so it alerts only when the count is less continuously for the next hour as well. Can someone help me with my query?

Log Volume Monitoring

count

eval

fields

stats

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

Log Volume Monitoring

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.