Log Volume Monitoring

Splunk Search

Hi Splunkers,

Happy Holidays!!!.

I am trying to create a dashboard on Log Volume Monitoring. I am using ML Toolkit and need help with my search.

| tstats count WHERE index=index_name BY index _time span=1h
| eval date=strftime(_time,"%m/%d/%Y")
| lookup Paid_Holidays.csv holiday_date as date OUTPUT is_holiday
| eval day_of_week = strftime(_time,"%A")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday")
| where NOT is_holiday=1
| `forecastviz(245, 240, "count", 93)`
| eval isOutlier = if(prediction!="" AND 'count' != "" AND ('count' < 'lower95(prediction)' OR 'count' > 'upper95(prediction)'), 1, 0)
| where isOutlier=1
| eval today = relative_time(now(),"-1h@h")
| where isOutlier=1 AND _time >= today
| where count < 'lower95(prediction)'
| fields - isOutlier

The highlighted and underlined part is where I am having issue. I need to alert only when the count is less than the predicted in the next hour as well. The current scenario alerts frequently and I need to constrict it so it alerts only when the count is less continuously for the next hour as well. Can someone help me with my query?

Get Updates on the Splunk Community!

Log Volume Monitoring

count

eval

fields

stats

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

Log Volume Monitoring

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.