Splunk Search

Splunk Alerts

bgill0123
Loves-to-Learn

I have a search that gives me the total number of hits to my website and the average number of hits over a 5 day period. I need to know how to setup a splunk alert, that notifies me when the avg number of hits over a 5 day period increases or decreases by 10%. I can't seem to figure this out, any help would be appreciated.

Labels (1)
0 Karma

bgill0123
Loves-to-Learn

Sorry I should have be a bit more clear: 

Here is the search I am getting that gives me to total number of hits to my website on any give day from a specific country..

For example this search might return: 

Canda 10

Mexico 30

index=data sourcetype=access | ip="*" | iplocation allfields=true ip | where country ! United States | stats count by country

I would like to set up a search to show me if traffic from any given country drops by 10% or more and the list the countries that have the drop in traffic...

 

Thanks

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

First thing would be to change simple

| stats count by country

to

| timechart span=1d count by country

This will give you a separate count for each day and each country.

Now you can either use

| timewrap 1day

to get a... not very pretty vector which is not very nice to work with

or - which I'd do probably - use

| transpose 0

To get a list of fields called "row 1", "row 2" (and possibly more if you had more days in your search) from which you can calculate your delta.

0 Karma

bgill0123
Loves-to-Learn

Hello

I changed the search to timechart span=1d count by country   and it does give me the seperate county per day by country but instead of listing out all the countries it lists the top ten the lumps all the other hits into an "other"  field. Is there a way to change that so the timechart will list everthing?

 

Thanks

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Timechart

You'll want the useother and limit options for the timechart command.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The requirement is a bit imprecise. Do you mean when a 5-days rolling window average drops by 10% from one day to another or do you want to compare average number of hits in 5 days versus an average from preceeding 5 days (so you want to calculate two values from 10 days in total) or maybe something else?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @bgill0123,

You should run your search using a time range of 15 days or more to be able to compare and use "delta" command like below; (assuming you 5 days average hit count field is "five_days_avg_count")

| delta five_days_avg_count as diff 
| eval perc_diff=abs(diff*100/five_days_avg_count)
| search perc_diff > 10

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...