Solved: How to create an alert if a value of a field is > ...

testSplunk1 · ‎07-09-2014

Newbie to splunk. Could someone help me here. I have events coming in ( lets say 1/sec ) which give me number of connections in use in a pool. I would like to create an alert if say 90% of the events over a 5 minute period exceed some value ( say 10 ).

Any help would be greatly appreciated.

somesoni2 · ‎07-09-2014

Try something like this (assuming Field name to validate is NoOfConn and threshold NoOfConn is 10)

   ... your search... | eval status=if(NoOfConn > 10,"Over","NA") | eventstats count(eval(status="Over")) as countOver, count as Total | eval overPerc=round((countOver*100/Total)) | where overPerc>=90

View solution in original post

somesoni2 · ‎07-09-2014

Try something like this (assuming Field name to validate is NoOfConn and threshold NoOfConn is 10)

   ... your search... | eval status=if(NoOfConn > 10,"Over","NA") | eventstats count(eval(status="Over")) as countOver, count as Total | eval overPerc=round((countOver*100/Total)) | where overPerc>=90

somesoni2 · ‎07-10-2014

Great. If there are no followup questions, please mark the answer as accepted.

testSplunk1 · ‎07-09-2014

Worked great ! Thanks

How to create an alert if a value of a field is > some value x for 90% of events during a time period

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability