Solved: Possibly to alert based on previous sample compari...

Silah · ‎07-02-2024

Hi

Put simply, I am trying to wrap my head around how I can configure an alert to trigger is a metric is X% higher or lower than the same metric, say 1 day ago.

So for example if I search

index=my_index eventStatus=fault | stats count by eventStatus

Searching "Last 15 minutes", giving say 100 results, can I trigger an alert IF the same search in the same 15 minute timeframe 1 day ago is for example 10% higher or lower?

Thanks

ITWhisperer · ‎07-02-2024

Try something like this (note that if your time range spans midnight, then you will have to do something else with the bin _time)

index=my_index eventStatus=fault [| makeresults
    | eval row=mvrange(0,2) 
    | mvexpand row
    | addinfo
    | eval earliest=relative_time(info_min_time,(row*-1)."d")
    | eval latest=relative_time(info_max_time,(row*-1)."d")
    | table earliest latest]
| bin _time span=1d
| chart count by eventStatus _time
| foreach 1*
    [eval diff=if(isnull(diff),'<<FIELD>>',abs((diff-'<<FIELD>>')/diff))]
| where diff >0.15

View solution in original post

ITWhisperer · ‎07-02-2024

Try something like this (note that if your time range spans midnight, then you will have to do something else with the bin _time)

index=my_index eventStatus=fault [| makeresults
    | eval row=mvrange(0,2) 
    | mvexpand row
    | addinfo
    | eval earliest=relative_time(info_min_time,(row*-1)."d")
    | eval latest=relative_time(info_max_time,(row*-1)."d")
    | table earliest latest]
| bin _time span=1d
| chart count by eventStatus _time
| foreach 1*
    [eval diff=if(isnull(diff),'<<FIELD>>',abs((diff-'<<FIELD>>')/diff))]
| where diff >0.15

Silah · ‎07-02-2024

Thanks, this seem to be producing something like what I am looking for.

Can I ask, what is the significance of this? I don't really understand it

'<<FIELD>>'

Thanks

ITWhisperer · ‎07-02-2024

The foreach command goes through each field listed in the foreach command, in this instance, fieldnames beginning with 1 followed by anything. The time values are all epoch times, which are the number of seconds since the beginning of 1970. At present, these all start with 1. Eventually, in a about 9 years time, this will start with 2. So, within the subsearch of the foreach command (within the square brackets []), the <<FIELD>> value in the subsearch is replaced by the field name from the list. Since, in this case, this is a number, the <<FIELD>> is placed in single quotes '<<FIELD>>' to tell Splunk that it is to be interpreted as a field name (not a number).

bowesmana · ‎07-02-2024

If you search both time segments then work out which group the time belongs to, then compare the two

See this example

index=_audit (earliest=-1d@d latest=-1d@d+15m) OR (earliest=@d latest=@d+15m)
| eval group=if(_time>relative_time(now(),"@d"), "Prev", "Current")
| chart count over user by group
| eval alert=if(Current > Prev * 1.15, 1, 0)

So this sets group according to where _time sits then just chart over user and calculate excess

Silah · ‎07-02-2024

Thanks, I tried this but it only seems to list results that ocurred between 00:00 and 00:15 despite the search being "15 minutes ago"

ITWhisperer · ‎07-02-2024

That's why my solution uses addinfo which gives you the "earliest" and "latest" times from the timepicker

Possibly to alert based on previous sample comparison

stats

subsearch

3 Ways to Make OpenTelemetry Even Better

What's New in Splunk Cloud Platform 9.2.2406?

Enterprise Security Content Update (ESCU) | New Releases