Solved: Need to setup an alert based on field value percen...

Jiten009 · ‎03-13-2013

Hi,

I need to setup the alert based on a field's(totalCount) value percent variation. My log looks like :

endPoint=search,host=158.94.64.138,remoteAdress=177.209.125.100,query="5155",status="Success",totalCount=1800,QTime=37,PTime=33,Bmode=NORMAL

i.e. trigger an alert if totalCount value varies more than 10%.

Thanks in advance for any help.

martin_mueller · ‎03-13-2013

Something like this?

... | stats max(totalCount) as max min(totalCount) as min | eval variation = min/max | where variation < 0.9

Alert whenever this yields a result... untested. Whether it's what you want depends on how you define "value varies more than 10%". I've assumed "if min value is lower than 90% of max value".

View solution in original post

martin_mueller · ‎03-13-2013

Something like this?

... | stats max(totalCount) as max min(totalCount) as min | eval variation = min/max | where variation < 0.9

Alert whenever this yields a result... untested. Whether it's what you want depends on how you define "value varies more than 10%". I've assumed "if min value is lower than 90% of max value".

Need to setup an alert based on field value percent variation

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms