Solved: Need help in writing query in Splunk

vn_g · ‎09-10-2020

Query required :

If a count of certain condition in the last rolling 12 hours exceeds 10% more than the avg daily number of count of certain condition for the last 7 days

ITWhisperer · ‎09-10-2020

"with condition" earliest="-8d@d" latest="@d" 
| bin span=1d _time 
| stats count by _time 
| stats avg(count) as average 
| fields average 
| appendcols 
    [ search "with same condition" earliest="-12h@m"
    | stats count 
    | fields count ]
| eval high=1.1*average
| eval alert=if(count > high, "1", "0")

Set time period of search to be at least the past 8 days

View solution in original post

vn_g · ‎09-10-2020

Can you explain why earliest="-12h@m" is used?

ITWhisperer · ‎09-10-2020

The overall query has to cover the previous 8 days to get your average daily count, the earliest="-12h@m" is used to restrict this part of the search to be your rolling 12 hours i.e. -12 hours snapped to the minute. If you want it snapped to the hour, then use earliest="-12h@h". This is what I assumed you meant by "last rolling 12 hours"

ITWhisperer · ‎09-10-2020

"with condition" earliest="-8d@d" latest="@d" 
| bin span=1d _time 
| stats count by _time 
| stats avg(count) as average 
| fields average 
| appendcols 
    [ search "with same condition" earliest="-12h@m"
    | stats count 
    | fields count ]
| eval high=1.1*average
| eval alert=if(count > high, "1", "0")

Set time period of search to be at least the past 8 days

Need help in writing query in Splunk

count

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!