Splunk Search

Grouping Events by Both Time and Customer

DGray
Engager

Hi all,

Want to alert when a customer's usage suddenly drops.

Tried breaking recent usage into two time periods:
- "new" events (the previous 10 minutes)
- "old" events (the 10 minutes before that)

If there are 100 more "old" events than "new" events, I want to raise an alert.
I have tried several approaches, and found the problem unexpectedly tricky. Please help.

note: All events have a "customer" field, which is one of a couple hundred values. It should be possible to have one query that checks all customers, and returns those that have problems.

sourcetype=web | eval kind = case(_time>now()-600, "new", _time>now()-1200, "old", true(), "out of scope") | stats count by customer, kind | .... something??

sourcetype=web | stats count by customer | eval new_event_count = [search sourcetype=web earliest=-10m | stats count | where customer=customer ??? | return $count] |

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

sourcetype=web earliest=-20m@m 
| eval period=if(_time>=relative_time(now(),"-10m@m"),"new","old") 
| chart count over customer by period
| where old-new>100

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

sourcetype=web earliest=-20m@m 
| eval period=if(_time>=relative_time(now(),"-10m@m"),"new","old") 
| chart count over customer by period
| where old-new>100

DGray
Engager

Thanks, this works great!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...