- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- span 5min for the last 15min
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
span 5min for the last 15min
Hello,
I have this following search:
source="Laura_ACS"| eventstats count as "totalVE"| eventstats count(eval(STAT_VE="N")) as "totalVENO"|eval percent=(totalVENO/totalVE)*100 | stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX|search TAUX=100
I want to calculate the "TAUX" for the last 15 min but I want to have a result with a span of 5 min and launch an alert if there are more than 2 results. That means that the TAUX equals 100 twice during the last 15 minutes. How can I apply this span of 5min in my search?
Thanks by advance,
Laura
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps this would help you, for the span/bucket...
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/bucket
And then put "earliest=-15m latest=0" in you orginal search command (i.e. source="Laura_ACS")
And then perhaps use streamstats, instead of stats, to prevent it from formatting results in to a table and keep all raw fields/data,
You can then use transaction to group events as required, and alert when you have 2 complete transactions
Regards,
MHibbin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
transaction is an answer but I don't know how can I apply this on my search because I have several subsearches. I want to calculate the taux for all the range time.
Thx by advance,
Laura
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry I don't understand this question ... 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I test this but I have a problem because I have to apply the span on all my search :
-eventstats count as "totalVE"
-eventstats count(eval(STAT_VE="N")) as "totalVENO"
-stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX
But I don't know how can do it.
Thanks by advance,
Laura
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx very much. I test this tomorrow and I return my search as soon as I have good results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't tested this, as I don't have any data available at the moment that I can test this on... its more of some suggestions on points to look at, that have helped me in similar situations.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
