The following splunk search is what I'm using to construct the dynamic threshold of a alert I want to create:
sourcetype=my_sourceearliest=-28d
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H")
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5)
| bucket _time span=1d
| stats count by _time
| stats avg(count) as dynThreshold | eval dynThreshold=(1.3*dynThreshold)
Now I want to create a alert where the result count is greater than the dynThreshold value constructed above. can someone help with this please.
... View more