Splunk Search

How to use the value of a dynamic threshold constructed as a result of a search to create a alert ?

vallurupallic
Engager

The following splunk search is what I'm using to construct the dynamic threshold of a alert I want to create:

sourcetype=my_sourceearliest=-28d 
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5) 
| bucket _time span=1d
| stats count by _time 
| stats avg(count) as dynThreshold | eval dynThreshold=(1.3*dynThreshold)

Now I want to create a alert where the result count is greater than the dynThreshold value constructed above. can someone help with this please.

0 Karma
1 Solution

adonio
Ultra Champion

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

View solution in original post

adonio
Ultra Champion

try this anywhere:

| gentimes start=-28 increment=1h
| eval _time = starttime
| eval random_value = random()%200
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H") 
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H") 
| eval curMin=strftime(now(),"%M")
| where dayofweek=$today$ AND  eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-15) 
| bucket _time span=1d
| stats avg(random_value) as avg_ran by _time
| eventstats avg(avg_ran) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(avg_ran > dynZThreshold,1,0)

i changed ... AND (eventMin > curMin-5 to ... > curMin-15 to make sure you will see results

hope it helps

vallurupallic
Engager

im trying to substitute the use of random value above with the search query result set. But im not able to find any results. I tried the search query just after gentimes as gentimes need to be the first command. can you help please

0 Karma

adonio
Ultra Champion

the | gentimes is an example
use your search

sourcetype=my_sourceearliest=-28d
| eval dayofweek = strftime(_time,"%A")
| eval today=strftime(now(),"%A")
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H")
| eval curMin=strftime(now(),"%M")
| where dayofweek=today AND eventHour=curHour AND curMin > eventMin AND (eventMin > curMin-5)
| bucket _time span=1d
| stats count as tot_count by _time
| eventstats avg(tot_count) as dynThreshold
| eval dynThreshold=(1.3*dynThreshold)
| eval alert = if(tot_count > dynZThreshold,1,0)

0 Karma

vallurupallic
Engager

That worked. Thank you.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...