How do you send an alert when the number of record...

navd · ‎01-25-2019

Hi ,

I am using the below query to get an average count . But how do I write a query to send an alert when the number of records goes below 20% of the daily average?

index= abc platform=xyz | stats avg(count) by _time

woodcock · ‎01-25-2019

Check out this Q&A!!!!!
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html

somesoni2 · ‎01-25-2019

Assuming you're running the alert daily to compare yesterday's (full day) count to check if it was less than daily average count over last 7 day (or 7 days prior to yesterday), try something like this (timerange selected to include data for past 8 days, excluding today):

index=abc platform=xyz earliest=-8d@d latest=@d | timechart span=1d count
| eval yesterday=if(_time=relative_time(now(),"-1d@d"), count, null())
| eval lastweek=if(_time<relative_time(now(),"-1d@d"), count, null())
| stats values(yesterday) as yesterday avg(lastweek) as dailyavg
| where yesterday<=0.8*dailyavg

navd · ‎01-25-2019

@somesoni2
I tried using the above query , but It don't see any results .

How do you send an alert when the number of records goes below 20% of the daily avg?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life