Hey all,
So I'm kind of scratching my head on this, and any kind of guidance would be extremely helpful!
Alright, so I have a dashboard with a stoplight visualization that looks at volume of a particular thing. Volume high=Good, Volume low=Outage, and anything in-between = Degraded. I have it working perfectly fine now, but my company is 24/7 and volume is not at the same levels at night as it is during the day, so what's happening is that at night volume drops and the dashboard shows "outage" but there really isn't an outage, volume is simply lower because it's night time.
Is there anyway I can add something to the query to factor in the time of day? Or should I be going about this a completely different way?
index=aries* sourcetype=aries-main RealtimeAccessLobby host=dtlprdart* OR host="aglprdart*" md=10 ty=*
| eval error=coalesce(ei, ec, stccode, aaacode, " Success")
| eval er=case(et="HIPAA", ".Reject", error!=" Success", "Fail")
| eval Status=coalesce(er, error)
| eval cnt=1
| table _time, Status, cnt
| append [search index=oracle | eval Status=".Reject" | eval cnt=0 | head 1 | table _time, Status, cnt]
| timechart span=1m sum(cnt) by Status
| addtotals labelfield=Total
| eval TotalRate=(Total/100)
| fillnull TotalRate value=0
| eval Warning=case(TotalRate<10,"Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
| eval Status= case(TotalRate<10,"times-circle", TotalRate>10 AND TotalRate<27,"exclamation-triangle", TotalRate>27,"check-circle")
| eval color=case(TotalRate<10,"#FF0000", TotalRate>10 AND TotalRate<27,"#ffff00", TotalRate>27,"#65a637")
....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....
hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night
if you have a problem.
....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....
hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night
if you have a problem.
You're looking for adaptive thresholding. See my previous answer on this
https://answers.splunk.com/answers/590464/how-you-detect-an-anomaly-from-a-time-frame-the-pr.html