Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- To add multiple criteria to determine drop in traf...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=circuit basequery1 earliest=-10m@m latest=@m|fields count | stats count AS currentMinuteCount | appendcols [search index=circuit basequery1 earliest=-20m@m latest=-10m@m |fields count| stats count AS previousMinuteCount]|where currentMinuteCount < 0.5*previousMinuteCount
This is just a basic check to determine if traffic has dropped below 50% when compared to previous 10 mins traffic count. If this Alert is missed out, then subsequent checks will pass as there would be no traffic. If I don't find any traffic in previous 10 mins, I wanted to check for a window of 30 mins. Any help or suggestion is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. I dropped the appendcols, as it will slow the search and it makes it harder to do the "fallback" that you want. This may not be exactly what you wanted, but I did this: I retrieved the the past 30 minutes of data and then broke it into 3 categories: the most recent 10 minutes (current), from 10-20 minutes ago (previous) and from 20-30 minutes ago (earliest). After counting the events in each category, I then checked to see if there were any events in the "previous" category. If there were none, I used the "earliest" category for the final comparison.
index=circuit basequery1 earliest=-30m@m latest=@m
| eval timeSlot=case(_time < relative_time(now(),"-20m"),"Earliest",
_time < relative_time(now(),"-10m"),"Previous",
true(),"Current")
| stats count(eval(timeSlot=="Previous")) as previousMinuteCount,
count(eval(timeSlot=="Current")) as currentMinuteCount,
count(eval(timeSlot=="Earliest")) as earliestMinuteCount
| eval compareWith = if(previousMinuteCount>0,previousMinuteCount,earliestMinuteCount)
| where currentMinuteCount < 0.5*compareWith
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. I dropped the appendcols, as it will slow the search and it makes it harder to do the "fallback" that you want. This may not be exactly what you wanted, but I did this: I retrieved the the past 30 minutes of data and then broke it into 3 categories: the most recent 10 minutes (current), from 10-20 minutes ago (previous) and from 20-30 minutes ago (earliest). After counting the events in each category, I then checked to see if there were any events in the "previous" category. If there were none, I used the "earliest" category for the final comparison.
index=circuit basequery1 earliest=-30m@m latest=@m
| eval timeSlot=case(_time < relative_time(now(),"-20m"),"Earliest",
_time < relative_time(now(),"-10m"),"Previous",
true(),"Current")
| stats count(eval(timeSlot=="Previous")) as previousMinuteCount,
count(eval(timeSlot=="Current")) as currentMinuteCount,
count(eval(timeSlot=="Earliest")) as earliestMinuteCount
| eval compareWith = if(previousMinuteCount>0,previousMinuteCount,earliestMinuteCount)
| where currentMinuteCount < 0.5*compareWith
HTH
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
