- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- a problem about sub search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi~ masters
There is case as:
When events count of last 5 min is greater than an average count of 1 hour before (count-of-1h/12), trigger a email alert
I tried this:
summary index:
index="_internal" | fields | sistats count
named Count5magain1h, scheduled every 5min, then:
index=summary search_name=Count5magain1h | sort -_time limit=13 |stats count| rename count as countof65m |
eval Average = (countof65m - [search index=summary search_name=Count5magain1h | sort -_time limit=1 | stats count | rename count as countof5m | return countof5m])/12 |
eval Result=case(countof5m>2*Average,1,countof5m<2*Average,0)
this seems not going to work! I must have mistaken syntax of search
Could someone help me thanks~
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am not sure I understand your question, but try this:
yoursearchhere earliest=-65m latest=-5m
| bucket _time span=5m
| stats count as FiveMinCount by _time
| stats avg(FiveMinCount) as avgCount
| appendcols [ search yoursearchhere earliest=-5m
| stats count as currentCount ]
I don't understand why you are searching the _internal index. In my example above, I have inserted yoursearchhere where your search criteria should go.
Also your custom condition on the alert should be
where currentCount > avgCount
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am not sure I understand your question, but try this:
yoursearchhere earliest=-65m latest=-5m
| bucket _time span=5m
| stats count as FiveMinCount by _time
| stats avg(FiveMinCount) as avgCount
| appendcols [ search yoursearchhere earliest=-5m
| stats count as currentCount ]
I don't understand why you are searching the _internal index. In my example above, I have inserted yoursearchhere where your search criteria should go.
Also your custom condition on the alert should be
where currentCount > avgCount
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much! I am not good at expressing...
But that exactly solved my problem, and helped me with the usage of Splunk
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
