Solved: Need help in writing query in Splunk

vn_g · ‎09-10-2020

Query required :

If a count of certain condition in the last rolling 12 hours exceeds 10% more than the avg daily number of count of certain condition for the last 7 days

ITWhisperer · ‎09-10-2020

"with condition" earliest="-8d@d" latest="@d" 
| bin span=1d _time 
| stats count by _time 
| stats avg(count) as average 
| fields average 
| appendcols 
    [ search "with same condition" earliest="-12h@m"
    | stats count 
    | fields count ]
| eval high=1.1*average
| eval alert=if(count > high, "1", "0")

Set time period of search to be at least the past 8 days

View solution in original post

vn_g · ‎09-10-2020

Can you explain why earliest="-12h@m" is used?

ITWhisperer · ‎09-10-2020

The overall query has to cover the previous 8 days to get your average daily count, the earliest="-12h@m" is used to restrict this part of the search to be your rolling 12 hours i.e. -12 hours snapped to the minute. If you want it snapped to the hour, then use earliest="-12h@h". This is what I assumed you meant by "last rolling 12 hours"

ITWhisperer · ‎09-10-2020

"with condition" earliest="-8d@d" latest="@d" 
| bin span=1d _time 
| stats count by _time 
| stats avg(count) as average 
| fields average 
| appendcols 
    [ search "with same condition" earliest="-12h@m"
    | stats count 
    | fields count ]
| eval high=1.1*average
| eval alert=if(count > high, "1", "0")

Set time period of search to be at least the past 8 days

Need help in writing query in Splunk

count

stats

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?