Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

query the number between a range

deepakaakula
Explorer
‎07-17-2020 06:31 AM

Hi,

I have alerts when the number goes above certain % of the disk usage. So there are alerts at 70, 80, 90. It works fine. But when there is a 70% alert, I get alerted twice, because of 70% and also 60% usage.

Here is what the query looks like. I am trying to keep the alert segmented to query the number only between 60-69.99 and 70.00-79.99 and so on.

aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 )

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 08:33 AM

I don't understand why you are getting alerts about 60 when the alert clearly looks for values greater than 70.

Try this method for looking for values within a range.

aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 AND account_disk_quota < 80 )
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 08:33 AM

I don't understand why you are getting alerts about 60 when the alert clearly looks for values greater than 70.

Try this method for looking for values within a range.

aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 AND account_disk_quota < 80 )
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-30-2020 06:09 PM

hi @richgalloway 

I thought the alert seems to be working fine,  but today the disk usage hit 70%, but the alert has triggered twice. once for the 70% as expected, and also the 60% one. These are the queries I have right now.

Do you recommend any modifications?

 

60% threshold query:    "aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 60 AND account_disk_quota < 70 )"

 

70% query:   "aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 AND account_disk_quota < 80 )"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2020 06:16 AM
This seems normal to me. On the way to 70% usage, the disk would reach 60% usage, would it not?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-31-2020 06:21 AM

Right, but the disk was at 60% from last 2 weeks, and yesterday evening it reached 70%.
So every time there is an increase in the 70% range, I get alerted twice from 60% and 70% monitors.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2020 07:44 AM
I think I understand, but I don't have a suggestion. Sorry.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-17-2020 09:59 AM

Thanks Rich. I have 4 different alerts with same query for 60, 70, 80, 90%. I just mentioned one of it here.

So when 90% is triggered, I get alerted 4 times.

I tried the query you gave with and operation. It did not seems to work.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 10:18 AM
Please explain "it did not seems to work". Did it work or did it not? What results did you get? What did you expect to get?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-17-2020 10:30 AM

sorry, please ignore my last message. I was querying it for different profile, and I got 0 events back.

 

I checked with the correct profile, and it worked perfectly now.

 

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top