cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
devdattajogleka
Explorer
Member since: ‎05-24-2022
‎06-14-2022
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎05-24-2022
Activity Feed
View All

Help Regarding search query

by in Splunk Search
‎06-13-2022 11:48 PM
‎06-13-2022 11:48 PM
Hi, I have following splunk query. | dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory where created_at > Date_sub(Curdate(), INTERVAL 7 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" It gives me the per-day count of files received in last 7 days along with the date. The result is as follows. date                                              file_count 06/07/22 Tuesday                79 06/08/22 Wednesday         46 06/09/22 Thursday              57 06/10/22 Friday                     5 06/11/22 Saturday               5 06/12/22 Sunday                  227 06/13/22 Monday                187 I want to calculate the running averages of file_counts for all these days.  For e.g. for 1st day, running average is 79/1 = 79 for 2nd day, running average is 79+46/2 = 62.5 for 3rd day, running average is 79+46+57/3 = 60.67 and so on. For this I want to write a query. Please help me with this.   ... View more
Labels

Re: Regarding Splunk custom alert

by in Alerting
‎05-26-2022 06:40 AM
‎05-26-2022 06:40 AM
Yeah got that. Alert is working. Thank you so much. I want to add one more condition to it. The alert should the include the file_count's of last week only. I used following query for that. | dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date | where file_count<100 | eventstats  avg(file_count) as avg_count | where file_count < (avg_count*0.875) or file_count > (avg_count*1.125) | fields file_count,date | where date > relative_time(now(), "-7d@d") Used "-w" instead of  "-7d@d" Also tried using strftime by specifying date format, using 'earliest' time modifier but the query does not yeild any result whereas it should. Please suggest a solution. ... View more

Re: Regarding Splunk custom alert

by in Alerting
‎05-25-2022 02:29 AM
‎05-25-2022 02:29 AM
Actually I want to take average of all 'file_count's which are less than 100. Thats why I have applied where condition first. ... View more

How to configure Splunk custom alert?

by in Alerting
‎05-25-2022 12:13 AM
‎05-25-2022 12:13 AM
Hello, I am configuring a custom splunk alert. My search query is as follows   | dbxquery connection="FFconed_feTenant" query="select count(file_name) as file_count, DATE_FORMAT(created_at,\"%m/%d/%y %W\") as date from ida_files_inventory where created_at > Date_sub(Curdate(), INTERVAL 30 Day) and created_at < Curdate() group by DATE_FORMAT(created_at,\"%m/%d/%y %W\")" | fields file_count,date |where file_count<100 | chart avg(file_count) as avg_count   I want to send an alert when the file_count is less than 0.95*avg_count or greater than 1.5*avg_count So can I configure a custom alert with condition "search file_count < (0.95*avg_count) OR file_count > (1.5*avg_count)" ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-14-2022 06:07 AM