How to setup alert for x% decrease in count by mar...

datamine · ‎10-03-2019

Hi all,

We are receiving web traffic to one index from multiple markets like the below search. Now we have been asked to setup an alert if there is any decrease in 50% of volume in any market over a time period like an hour or in 30 mins. Can some one help me how to achieve this?

Charting the Traffic by Market wise:

index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded" |timechart count by marketName useother=f usenull=f

Thanks!

woodcock · ‎10-08-2019

Check out this amazing Q&A (and links):
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html

sandeepmakkena · ‎10-03-2019

index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded"
| stats count by marketName,date_hour
| delta count as difference
| eval percdif=round((difference/count)*100,0)
| where percdif<-50

This should work and depending on this condition you can do the alert.

datamine · ‎10-04-2019

hi @sandeepmakkena ,

It didnt worked. when i run the serach before saving it as alert its not giving me any stats.

Thanks,
Devon

datamine · ‎10-04-2019

hi @sandeepmakkena if i remove the date_hour then i get values but its taking the count of all markets as count and taking the difference from that. Is there a way to calculate the difference only from the count of that market alone and then calculate percentage for that market.

thanks,
Devon

sandeepmakkena · ‎10-04-2019

Hi @datamine I think you will have hour field in your interesting fields.
If not add this | eval date_hour=strftime(_time,"%H") before stats command.

As far count, I did test with my data it is working fine for me, can you add example data.
Thanks for your question.

jacobpevans · ‎10-03-2019

Greetings @datamine,

See my answer here: https://answers.splunk.com/answering/774433/view.html

Everything should apply, but you'll need to change these lines to fit your use case (and the timechart span).

 | eval Alert_Type = case (Percent_Increase_5_Mins>5,"Error",
                           Percent_Increase_3_Mins>5,"Warning")

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

datamine · ‎10-04-2019

Thanks @jacobevans !

But we dont want to have any static count value to be used rather than a dynamic one based on the previous 30 mins/hour count(a specific market) is reduced more than x% percentage to the count(only that market now in last 30min/hour) then it should alert.

Cheers,
Devon

jacobpevans · ‎10-04-2019

That's exactly what it does 🙂 The "5" is a hard-coded percent - not count.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

How to setup alert for x% decrease in count by market?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes