Hi Splunkers,
I have events which update every 1 minute, if the Status is field is true for more than 5 min, i need to trigger an alert.
for example
1:00 Status = False
1:03 Status = True
1:07 Status = False
1:10 Status = True
1:13 Status = True
1:16 Status = True
Now i need to trigger an alsert as the Stauts is true from 1:10 to 1:16 which is more than 5 mintues.
If in between it came false, i dont need an alert.
Thanks in advance.
| stats latest(status) as status_Last latest(_time) as _time by place
| eval now=now() | eval downSince=now-_time | eval downMoreThan5Min=if(downSince>300,1,0)
| search status_Last =True AND downMoreThan5Min=1
try this search anywhere: (you can remove the | head 100
for larger result set)
| gentimes start=-1 increment=1m
| head 100
| eval _time = starttime
| eval status = random()%2
| eval status = if(status=1,"True","False")
| table _time status
| sort -_time
| rename COMMENT as "above is sample data, below is your solution"
| streamstats time_window=5m count(eval(status="False")) as false_status_count
| where false_status_count>=5
hope it helps
try this
| timechart span=5min values(Status)
| rename values(Status) as Status
| eval one=mvindex(Status,0),two=mvindex(Status,1),three=mvindex(Status,1),four=mvindex(Status,1),five=mvindex(Status,1)
| eval trigger=if(one ="True" AND two="True" AND three="True" AND four="True" AND five="True",1,0) |where trigger=1
Alert triggers if trigger=1
The timechart takes all 5 values of past 5 mins, the eval extracts all 5 values and the trigger checks that all (AND join) values are true
It didnt work for me as i will do the | timechart span=5min values(Status) by place, where i have many place and it gives the result of every 5 min status.
I need check whether the status is true within the 5 mins.
try this
NOTE use proper case for status and place , in my dummy data everything is in small case
| stats values(status) as status,values(_time) as time by place
| eventstats max(time) as maxtime
| eval diff=(maxtime-time)/60
| eval mark=if(diff <=6,1,0)
| where mark=1
| stats list(status) as statuses by mark
| mvexpand statuses
| eval flg=case(statuses="TRUE",1)
| eventstats sum(flg) as sumflg
| where sumflg>0
Alert triggers where result of above query is more than 0
hi @SathyaNarayanan
Can you please check and confirm on your issue? Please accept the answer if it significantly helped resolve your issue. Do not forget to add/modify the answer if you did some modifications and then accept the answer.