Splunk Search

How to create an alert to trigger if the value stored in a CSV file increases by 5?

manja054
Explorer

Saved search:

 sourcetype=*    | timechart last(Cnt) as CurrentQueueLength span=5m | Where CurrentQueueLength>0 | table CurrentQueueLength | outputcsv ABC 

CSV:
CurrentQueueLength
15

If the value increases by 5 (Value to be taken from CSV file), I need to trigger an alert ( cond=CurrentQueueLength+5).

0 Karma

woodcock
Esteemed Legend

I don't get your search: it could return more than 1 value or no values! You should probably do something like this:

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | outputcsv ABC

Then schedule the following search as an alert that triggers when "# events > 0" and runs 1 minute before the first one runs (just before the value is overwritten):

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | append [|inputcsv ABC | rename CurrentQueueLength AS PrevQueueLength] | eval delta = CurrentQueueLength - PrevQueueLength | where delta > 5

Also, you might consider using avg but definitely don't use last because it does the opposite of what you think it does (earliest value), which is why I switched it to latest.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...