How to edit my search to alert when the amount of ...

lyndac · ‎12-15-2016

I need to be able to detect when the amount of data I have received "so far today" is 15% more or less than the the average amount of data I received for the same timeframe previously.

So, today is Thursday and it's 8:15am. I need to get the number of events I've received since midnight ( index=foo earliest=@d latest=now | stats count ). I need to compare that number to the average number of events received every Thursday for the past 30 days for the same time range (midnight to now). Then, if today's total is more or less than 15% different from that average, I need to alert the user.

I've used timewrap to show all the Thursdays in one graph

|tstats count where index=foo by _time span=1h | timechart max(count) as count span=1h | timewrap w series=exact | where strftime(_time,"%A") == "Thursday"

But that's not quite what I need because it uses counts from the entire day, not just the day so far. Can anyone help? Eventually, I'd like to be able to schedule this query and alert from it, so the time span/day of the week will need to be dynamic.

somesoni2 · ‎12-15-2016

Try something like this (accurate till start of current hour)

| tstats count where index=foo earliest=-30d@d latest=@h by _time span=1h
| timechart max(count) as count span=1h 
| where strftime(_time,"%A")=strftime(now(),"%A") AND strftime(_time,"%H")<strftime(now(),"%H")
| timechart span=1d sum(count) as count | eval period=if(_time=relative_time(now(),"@d"),"today","historical")
| eval temp=1 | chart avg(count) over temp by period | where today>1.15*historical

How to edit my search to alert when the amount of data "so far today" out of "normal" range?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!