Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

query the number between a range

deepakaakula
Explorer
‎07-17-2020 06:31 AM

Hi,

I have alerts when the number goes above certain % of the disk usage. So there are alerts at 70, 80, 90. It works fine. But when there is a 70% alert, I get alerted twice, because of 70% and also 60% usage.

Here is what the query looks like. I am trying to keep the alert segmented to query the number only between 60-69.99 and 70.00-79.99 and so on.

aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 )

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 08:33 AM

I don't understand why you are getting alerts about 60 when the alert clearly looks for values greater than 70.

Try this method for looking for values within a range.

aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 AND account_disk_quota < 80 )
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 08:33 AM

I don't understand why you are getting alerts about 60 when the alert clearly looks for values greater than 70.

Try this method for looking for values within a range.

aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 AND account_disk_quota < 80 )
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-30-2020 06:09 PM

hi @richgalloway 

I thought the alert seems to be working fine,  but today the disk usage hit 70%, but the alert has triggered twice. once for the 70% as expected, and also the 60% one. These are the queries I have right now.

Do you recommend any modifications?

 

60% threshold query:    "aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 60 AND account_disk_quota < 70 )"

 

70% query:   "aws_account="cloud" "DSM: Current disk usage for account" (account_disk_quota > 70 AND account_disk_quota < 80 )"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2020 06:16 AM
This seems normal to me. On the way to 70% usage, the disk would reach 60% usage, would it not?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-31-2020 06:21 AM

Right, but the disk was at 60% from last 2 weeks, and yesterday evening it reached 70%.
So every time there is an increase in the 70% range, I get alerted twice from 60% and 70% monitors.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2020 07:44 AM
I think I understand, but I don't have a suggestion. Sorry.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-17-2020 09:59 AM

Thanks Rich. I have 4 different alerts with same query for 60, 70, 80, 90%. I just mentioned one of it here.

So when 90% is triggered, I get alerted 4 times.

I tried the query you gave with and operation. It did not seems to work.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 10:18 AM
Please explain "it did not seems to work". Did it work or did it not? What results did you get? What did you expect to get?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

deepakaakula
Explorer
‎07-17-2020 10:30 AM

sorry, please ignore my last message. I was querying it for different profile, and I got 0 events back.

 

I checked with the correct profile, and it worked perfectly now.

 

Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...