Solved: When the following search sees a percentage increa...

amirarsalan · ‎02-11-2019

Hi, I have a search that looks like this:

index=loadbalancer r_host="sport.mtm.com"  req="/api/v2/log/exception"

Now, I want to create an alarm on it. I want it to alarm when it sees a percentage increase.

Can anyone help me?

vishaltaneja070 · ‎02-11-2019

@amirarsalan
Try this:

index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50

View solution in original post

vishaltaneja070 · ‎02-11-2019

@amirarsalan
Try this:

index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50

vishaltaneja070 · ‎02-11-2019

Hello @amirasalan

Is there percentage field available in data?

Or you want based on no of events per minutes or hour etc?

amirarsalan · ‎02-11-2019

Hi @vishaltaneja07011993

I want it on number on event per hour. But i only want alert when it sees a percentage increase.

vishaltaneja070 · ‎02-11-2019

Try something:

index=* earliest=-2h latest=-1h | stats count | appendcols [ search index=* earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 0

Now you can create a alert based on the above search.

amirarsalan · ‎02-11-2019

I don't receive any results, should it be like that? and the other question is what value should i use when i create the alert on the trigger conditions? see the link picture
https://www.google.com/search?q=create+alert+splunk&rlz=1C1GCEB_enSE814SE814&source=lnms&tbm=isch&sa...

amirarsalan · ‎02-11-2019

I only see events not statistic

vishaltaneja070 · ‎02-11-2019

index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception"  earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception"  earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 0

vishaltaneja070 · ‎02-11-2019

Did you try this?

amirarsalan · ‎02-11-2019

Now i got results -100,00
I believe its right.
How do I create alert on that

vishaltaneja070 · ‎02-11-2019

You can save the search as Alert.

amirarsalan · ‎02-11-2019

Thanks, i'm i kind of newbee hehe. in Trigger Conditions what value should i put

vishaltaneja070 · ‎02-11-2019

You can put the condition when number of results is more than 0.

amirarsalan · ‎02-11-2019

Okey i will do that. Last question, so the alert will trigger when its sees a big percentage increase. I forgot to mention that. I want it to trigger when it's a big percentage increase

vishaltaneja070 · ‎02-11-2019

Okay at what percentage you want alert?

amirarsalan · ‎02-11-2019

50 % at least

vishaltaneja070 · ‎02-11-2019

try this then:
index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-2h latest=-1h | stats count | appendcols [ search index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" earliest=-1h latest=now() | stats count as count2] | eval perc= round(((count2 - count) * 100 / count),2) | fields + perc | search perc < 50

amirarsalan · ‎02-11-2019

Perfect should i still use "number of results is more than 0."

vishaltaneja070 · ‎02-11-2019

Yup correct.

please accept the answer so that thread can be closed

amirarsalan · ‎02-11-2019

Thanks a lot

When the following search sees a percentage increase, can you help me create an alarm on it?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!