Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log Volume Monitoring

dwibedi03
Explorer
‎12-28-2020 06:34 AM

Hi Splunkers,

Happy Holidays!!!.

I am trying to create a dashboard on Log Volume Monitoring. I am using ML Toolkit and need help with my search.

| tstats count WHERE index=index_name BY index _time span=1h
| eval date=strftime(_time,"%m/%d/%Y")
| lookup Paid_Holidays.csv holiday_date as date OUTPUT is_holiday
| eval day_of_week = strftime(_time,"%A")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday")
| where NOT is_holiday=1
| `forecastviz(245, 240, "count", 93)`
| eval isOutlier = if(prediction!="" AND 'count' != "" AND ('count' < 'lower95(prediction)' OR 'count' > 'upper95(prediction)'), 1, 0)
| where isOutlier=1
| eval today = relative_time(now(),"-1h@h")
| where isOutlier=1 AND _time >= today
| where count < 'lower95(prediction)'
| fields - isOutlier

 

The highlighted and underlined part is where I am having issue. I need to alert only when the count is less than the predicted in the next hour as well. The current scenario alerts frequently and I need to constrict it so it alerts only when the count is less continuously for the next hour as well. Can someone help me with my query?

Labels (5)
Labels
0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!