Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Alerts

bgill0123
Loves-to-Learn
‎02-16-2024 10:17 AM

I have a search that gives me the total number of hits to my website and the average number of hits over a 5 day period. I need to know how to setup a splunk alert, that notifies me when the avg number of hits over a 5 day period increases or decreases by 10%. I can't seem to figure this out, any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply

bgill0123
Loves-to-Learn
‎02-26-2024 08:02 AM

Sorry I should have be a bit more clear: 

Here is the search I am getting that gives me to total number of hits to my website on any give day from a specific country..

For example this search might return: 

Canda 10

Mexico 30

index=data sourcetype=access | ip="*" | iplocation allfields=true ip | where country ! United States | stats count by country

I would like to set up a search to show me if traffic from any given country drops by 10% or more and the list the countries that have the drop in traffic...

 

Thanks

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2024 08:24 AM

First thing would be to change simple

| stats count by country

to

| timechart span=1d count by country

This will give you a separate count for each day and each country.

Now you can either use

| timewrap 1day

to get a... not very pretty vector which is not very nice to work with

or - which I'd do probably - use

| transpose 0

To get a list of fields called "row 1", "row 2" (and possibly more if you had more days in your search) from which you can calculate your delta.

0 Karma
Reply

bgill0123
Loves-to-Learn
‎02-26-2024 09:19 AM

Hello

I changed the search to timechart span=1d count by country   and it does give me the seperate county per day by country but instead of listing out all the countries it lists the top ten the lumps all the other hits into an "other"  field. Is there a way to change that so the timechart will list everthing?

 

Thanks

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2024 02:04 PM

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Timechart

You'll want the useother and limit options for the timechart command.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2024 11:45 PM

The requirement is a bit imprecise. Do you mean when a 5-days rolling window average drops by 10% from one day to another or do you want to compare average number of hits in 5 days versus an average from preceeding 5 days (so you want to calculate two values from 10 days in total) or maybe something else?

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-16-2024 12:11 PM

Hi @bgill0123,

You should run your search using a time range of 15 days or more to be able to compare and use "delta" command like below; (assuming you 5 days average hit count field is "five_days_avg_count")

| delta five_days_avg_count as diff 
| eval perc_diff=abs(diff*100/five_days_avg_count)
| search perc_diff > 10

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...