Hi all,
We are receiving web traffic to one index from multiple markets like the below search. Now we have been asked to setup an alert if there is any decrease in 50% of volume in any market over a time period like an hour or in 30 mins. Can some one help me how to achieve this?
Charting the Traffic by Market wise:
index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded" |timechart count by marketName useother=f usenull=f
Thanks!
Check out this amazing Q&A (and links):
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html
index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded"
| stats count by marketName,date_hour
| delta count as difference
| eval percdif=round((difference/count)*100,0)
| where percdif<-50
This should work and depending on this condition you can do the alert.
hi @sandeepmakkena ,
It didnt worked. when i run the serach before saving it as alert its not giving me any stats.
Thanks,
Devon
hi @sandeepmakkena if i remove the date_hour then i get values but its taking the count of all markets as count and taking the difference from that. Is there a way to calculate the difference only from the count of that market alone and then calculate percentage for that market.
thanks,
Devon
Hi @datamine I think you will have hour field in your interesting fields.
If not add this | eval date_hour=strftime(_time,"%H")
before stats command.
As far count, I did test with my data it is working fine for me, can you add example data.
Thanks for your question.
Greetings @datamine,
See my answer here: https://answers.splunk.com/answering/774433/view.html
Everything should apply, but you'll need to change these lines to fit your use case (and the timechart span
).
| eval Alert_Type = case (Percent_Increase_5_Mins>5,"Error",
Percent_Increase_3_Mins>5,"Warning")
Cheers,
Jacob
Thanks @jacobevans !
But we dont want to have any static count value to be used rather than a dynamic one based on the previous 30 mins/hour count(a specific market) is reduced more than x% percentage to the count(only that market now in last 30min/hour) then it should alert.
Cheers,
Devon
That's exactly what it does 🙂 The "5" is a hard-coded percent - not count.