So I am currently trying to compare the average value of a field is using 7 days of events to what the value is currently. If the current value is greater than 3 times that average I want it to send an alert. Currently I am able to do the first part that finds the average count of the field but I am unable to figure out how to compare that to the current field value.
index=db sourcetype="dbmetrics" earliest=-7d
| stats avg(db_connections) as DBConnectionsAvg by database
Sorry if the explanation on this is messy, pretty new to Splunk
Try this :
index=db sourcetype="dbmetrics" earliest=-7d
| stats avg(db_connections) as DBConnectionsAvg latest(db_connections) as DBConnectionsCurrent by database
| where 3*DBConnectionsAvg<DBConnectionsCurrent
Try this :
index=db sourcetype="dbmetrics" earliest=-7d
| stats avg(db_connections) as DBConnectionsAvg latest(db_connections) as DBConnectionsCurrent by database
| where 3*DBConnectionsAvg<DBConnectionsCurrent
Didn't know about the latest command. Thanks!