Solved: How to alert based off the last reported number in...

sbattista09 · ‎08-01-2016

How to alert based off the last reported number in a time chart. I want to alert based on a comparison of the last two numbers where if it that value grew more than x%, I want it to alert.

woodcock · ‎08-01-2016

add this:

 | tail 2 | reverse | autoregress count | eval pct_increase=100 * (count - count_p1)/count | where pct_increase > X

View solution in original post

woodcock · ‎08-01-2016

add this:

 | tail 2 | reverse | autoregress count | eval pct_increase=100 * (count - count_p1)/count | where pct_increase > X

sbattista09 · ‎08-12-2016

so this is great however the pct_increase (i renamed it to pct_diff) is not putting a decimal so for instance
count count_p1 pct_diff
18.32 10.25 807
pct_diff should be 8.07

i fixed it by adding a decimal
| eval pct_increase=1.00 * (count - count_p1)/count | where pct_increase > X

thanks again i will be suing this a lot!

somesoni2 · ‎08-01-2016

Could you provide more information on your current outputs and expected output? (The title says stats and the question says timechart ) Also share you current queries.

How to alert based off the last reported number in a stats count

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!