About jason2

jason2

Zoom link?

jason2 · ‎10-31-2024

The earliest=-30d is there so I can get an average count for each the count for each triggered alert over the past 30 days. My question is how can I limit those results so I only see records from yesterday, not the other 29 days

jason2 · ‎10-30-2024

Putting together a query that shows, on an individual alert level, the number of times the alert fired in a day and the average we were expecting. Below is the query as it stands now, but I am looking for a way to only show records from today/yesterday, instead of for the past 30 days. Any help would be appreciated index=_audit action="alert_fired" earliest=-30d latest=now | eval date=strftime(_time, "%Y-%m-%d") | stats count AS actual_triggered_alerts by ss_name date | eventstats avg(actual_triggered_alerts) AS average_triggered_alerts by ss_name | eval average_triggered_alerts = round(average_triggered_alerts,0) | eval comparison = case( actual_triggered_alerts = average_triggered_alerts, "Average", actual_triggered_alerts > average_triggered_alerts, "Above Average", actual_triggered_alerts < average_triggered_alerts, "Below Average") | search comparison!="Average" | table date ss_name actual_triggered_alerts average_triggered_alerts | rename date as "Date", ss_name as "Alert Name", actual_triggered_alerts as "Actual Triggered Alerts", average_triggered_alerts as "Average Triggered Alerts"

Posts	2
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎08-09-2023

Online Status	Offline
Date Last Visited	3 weeks ago

Triggered alerts query - Need help with date

Re: Awesome Admins: Running a Healthy Splunk Platf...

Re: Triggered alerts query - Need help with date

Triggered alerts query - Need help with date