×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
saro0710
New Member
Member since: ‎10-24-2011
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-24-2011
View All

Re: Splunk alert configuration based on dynamic lo...

by in Dashboards & Visualizations
‎10-24-2011 04:36 AM
3 Karma
‎10-24-2011 04:36 AM
3 Karma
This sounds like something you could do with the anomalies operator. It applies to a sliding window of events for which it monitors a field you define, and then assign an "unexpectedness" score to each value of that field. So if you have a windows containing 10000 events and 9000 of them have the value "foo", 999 have the value "obnoxious ozelot" and the 10000th event arrives with the value "preposterous panda", Splunk will assign a very high unexpectedness score to that since it's never been seen before in the sliding window of events. You could then use the unexpectedness in your alert conditions to trigger alerts on events that don't match any of the expected values. More information on the anomalies command is available here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Anomalies ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM