Hi Team,
i have onboarded the Linux CPU logs using Splunk add on for linux. the requirement is , we need send an alert when we hitting the CPU utilization more 80 % and count for the continuously 3 times. Using streamstats command
input is enabled for every 1200 seconds and alert will run every 30 mintues.
Could you please help me to get the query.
Like this:
... | streamstats current=t window=3 count(eval(cpu>=80)) AS count80plus
| where count80plus==3
How we did that was to pull together the list of inputs and then add a streamstats like this:
| streamstats current=t window=3 values(status) AS last_three by input_name
Something like this:
index=_internal sourcetype=dbx_job_metrics
| sort input_name _time
| table input_name _time status
| streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name
| search values_three != "COMPLETED"
You'll need to adjust a little to get your > 80% in there.. but that's the basics of it.
Here's a search with numeric values - that you can look at:
index=_internal sourcetype=splunkd kb=*
| table _time sourcetype kb
| eval threshold = if(kb<80,"UNDER","OVER")
| streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold
| eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","")
| eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","")