Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk indexing volume by index alert

splunkiscool1
Engager
‎04-12-2013 11:06 AM

Hello,

I would like to get an alert if the indexing volume for an index drops.

I'm thinking something similar this, but I'm not sure how to translate it to Splunk's language:

if (yesterday's total indexing volume for EACH index) is at least 20% less than (the average daily indexing volume for EACH index over -2 to -7 days) then (alert)

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:34 PM

Starting with the index volume query from the Status menu in Search you can build this:

index=_internal source=*metrics.log group=per_index_thruput | bin span=1d _time | stats sum(kbps) as daily_volume by series _time | eventstats avg(daily_volume) as avg_volume by series | where _time = relative_time(now(), "@d-d") AND daily_volume < avg_volume * 0.8

Run over -7d@d to @d and alert whenever this yields a result.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-12-2013 12:34 PM

Starting with the index volume query from the Status menu in Search you can build this:

index=_internal source=*metrics.log group=per_index_thruput | bin span=1d _time | stats sum(kbps) as daily_volume by series _time | eventstats avg(daily_volume) as avg_volume by series | where _time = relative_time(now(), "@d-d") AND daily_volume < avg_volume * 0.8

Run over -7d@d to @d and alert whenever this yields a result.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2013 05:51 AM

Yesterday was Sunday, the where is hence looking for a day that was filtered out in the main search.

0 Karma
Reply
Solved! Jump to solution

splunkiscool1
Engager
‎04-15-2013 05:24 AM

index=_internal source=*metrics.log group=per_index_thruput (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday) | bin span=1d _time | stats sum(kbps) as daily_volume by series _time | eventstats avg(daily_volume) as avg_volume by series | where _time = relative_time(now(), "@d-d") AND daily_volume > avg_volume * 0.8

I get no results whether I have a < or >. When removing the (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday) I do get results with the original search from your first post

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2013 05:08 AM

Append this to the main search:

(date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
0 Karma
Reply
Solved! Jump to solution

splunkiscool1
Engager
‎04-15-2013 04:56 AM

Thanks martin!

I'm trying to figure out how to specify weekdays only(as this will trigger every weekend how it is now, because I have an expected large drop in volume during the weekend).

So, I would like to just ignore weekends, and only run the search throughout the week, but the average should only be calculated with weekdays as well.

I see in Splunk Documentation how to specify a specific day of the week, but how could I specify to go 7 days back, but only average the weekdays?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...