HI
At the moment I am running a search on a some log files, and looking to trigger an alert when the number of events has dropped by over 80%.
Currently, my alert triggers on a cron schedule every 5 minutes and the most recent time on the triggered alert, it always has a count of 0. With a drop of however many 5 minutes previously had been counted.
This is my search at present:
index=iis earliest=-20m "stringtomatchhere" | timechart span=5m count | delta count as difference | eval percentDifference =round(abs(difference/(count - difference))*100)
Where I am looking to find all events that match the string which forms part of the uri-stem, chart this at 5 min gaps for the past 20mins.
delta the count as difference, and then get the percentage difference.
An example of results returned :
The tigger conditions are search difference < 0 AND percentDifference > 80 - so I would like to show only where there is a drop in number of events, and that drop is of min 80%.
I have it set to run on a cron schedule every 5 mins with a 10m, -5m window.
If anyone could help point me in the right direction be much appreciated, just learning the ways of the splunking force.
Thanks for the help
S
... View more