Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: a problem about sub search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi~ masters
There is case as:
When events count of last 5 min is greater than an average count of 1 hour before (count-of-1h/12), trigger a email alert
I tried this:
summary index:
index="_internal" | fields | sistats count
named Count5magain1h, scheduled every 5min, then:
index=summary search_name=Count5magain1h | sort -_time limit=13 |stats count| rename count as countof65m |
eval Average = (countof65m - [search index=summary search_name=Count5magain1h | sort -_time limit=1 | stats count | rename count as countof5m | return countof5m])/12 |
eval Result=case(countof5m>2*Average,1,countof5m<2*Average,0)
this seems not going to work! I must have mistaken syntax of search
Could someone help me thanks~
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am not sure I understand your question, but try this:
yoursearchhere earliest=-65m latest=-5m
| bucket _time span=5m
| stats count as FiveMinCount by _time
| stats avg(FiveMinCount) as avgCount
| appendcols [ search yoursearchhere earliest=-5m
| stats count as currentCount ]
I don't understand why you are searching the _internal index. In my example above, I have inserted yoursearchhere where your search criteria should go.
Also your custom condition on the alert should be
where currentCount > avgCount
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am not sure I understand your question, but try this:
yoursearchhere earliest=-65m latest=-5m
| bucket _time span=5m
| stats count as FiveMinCount by _time
| stats avg(FiveMinCount) as avgCount
| appendcols [ search yoursearchhere earliest=-5m
| stats count as currentCount ]
I don't understand why you are searching the _internal index. In my example above, I have inserted yoursearchhere where your search criteria should go.
Also your custom condition on the alert should be
where currentCount > avgCount
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much! I am not good at expressing...
But that exactly solved my problem, and helped me with the usage of Splunk
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
