span 5min for the last 15min

LauraBre · ‎07-26-2012

Hello,

I have this following search:

I want to calculate the "TAUX" for the last 15 min but I want to have a result with a span of 5 min and launch an alert if there are more than 2 results. That means that the TAUX equals 100 twice during the last 15 minutes. How can I apply this span of 5min in my search?

Thanks by advance,

Laura

MHibbin · ‎07-26-2012

Perhaps this would help you, for the span/bucket...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/bucket

And then put "earliest=-15m latest=0" in you orginal search command (i.e. source="Laura_ACS")

And then perhaps use streamstats, instead of stats, to prevent it from formatting results in to a table and keep all raw fields/data,

You can then use transaction to group events as required, and alert when you have 2 complete transactions

Regards,

MHibbin

LauraBre · ‎07-27-2012

transaction is an answer but I don't know how can I apply this on my search because I have several subsearches. I want to calculate the taux for all the range time.

Thx by advance,

Laura

MHibbin · ‎07-27-2012

I'm sorry I don't understand this question ... 😞

LauraBre · ‎07-27-2012

Hello,

I test this but I have a problem because I have to apply the span on all my search :
-eventstats count as "totalVE"
-eventstats count(eval(STAT_VE="N")) as "totalVENO"
-stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX

But I don't know how can do it.

Thanks by advance,

Laura

LauraBre · ‎07-26-2012

Thx very much. I test this tomorrow and I return my search as soon as I have good results.

MHibbin · ‎07-26-2012

I haven't tested this, as I don't have any data available at the moment that I can test this on... its more of some suggestions on points to look at, that have helped me in similar situations.

span 5min for the last 15min

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life