Triggered alerts query - Need help with date

jason2 · ‎10-30-2024

Putting together a query that shows, on an individual alert level, the number of times the alert fired in a day and the average we were expecting. Below is the query as it stands now, but I am looking for a way to only show records from today/yesterday, instead of for the past 30 days.

Any help would be appreciated

index=_audit action="alert_fired" earliest=-30d latest=now 
| eval date=strftime(_time, "%Y-%m-%d")
| stats count AS actual_triggered_alerts by ss_name date
| eventstats avg(actual_triggered_alerts) AS average_triggered_alerts by ss_name
| eval average_triggered_alerts = round(average_triggered_alerts,0)
| eval comparison = case(
actual_triggered_alerts = average_triggered_alerts, "Average",
actual_triggered_alerts > average_triggered_alerts, "Above Average",
actual_triggered_alerts < average_triggered_alerts, "Below Average")
| search comparison!="Average"
| table date ss_name actual_triggered_alerts average_triggered_alerts
| rename date as "Date", ss_name as "Alert Name", actual_triggered_alerts as "Actual Triggered Alerts", average_triggered_alerts as "Average Triggered Alerts"

PickleRick · ‎10-30-2024

You explicitly search for earliest=-30d so you're getting results from last 30 days.

jason2 · ‎10-31-2024

The earliest=-30d is there so I can get an average count for each the count for each triggered alert over the past 30 days. My question is how can I limit those results so I only see records from yesterday, not the other 29 days

PickleRick · ‎10-31-2024

Just filter with

| where _time>=now()-86400

(Or whatever time limit you need) before you remove the _time field with the table command.

Triggered alerts query - Need help with date

eval

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services