- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Alert when there is a peak of activity
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am currently setting up some graphs and I was wondering if there is a simple and flexible way to generate an alert when there is a unusual peak in the graph.
I know I can set up an alert if X events have been found but this is not flexible. Is there a way that Splunk can learn that, for example, on Mondays, there are more events generated so the alert limit should be higher ?
Thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The way I approached this in the past was using a summary index (report acceleration might work too):
- Summarise your data hourly, daily or whatever range you find more suitable for your needs
- Apply the relevant statistical functions to your summary data (doing the same against non-summarised data could take ages)
- Compare your previous results with your current ones in order to trigger the alerts you want
I don't have access to my old Splunk instance at the moment so I can't really paste any code or screenshots.
Hope that helps.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use timewrap app to compare week-over-week and do a precentage variation that is constant:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, this looks very nice. If you have any other command to compare charts over time, do not hesitate to share it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The way I approached this in the past was using a summary index (report acceleration might work too):
- Summarise your data hourly, daily or whatever range you find more suitable for your needs
- Apply the relevant statistical functions to your summary data (doing the same against non-summarised data could take ages)
- Compare your previous results with your current ones in order to trigger the alerts you want
I don't have access to my old Splunk instance at the moment so I can't really paste any code or screenshots.
Hope that helps.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could also check out the Machine Learning App which features one such use cases explicitly. Check it out if you're interested, I can really recommend it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will check out this app 🙂
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
