Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a search to only return the overall search average?

jimtan
New Member
‎06-25-2013 06:05 PM

Hi there,

I need to create an alert basing on average failure rate in 60 min. Here is my search sourcetype="mysourceType" AppID = "myApp" | eval Failed= if( myData> 0, 1, 0) | stats avg(Failed) as FailRate
The alert condition is search FailRate > 0.1

However the search returns the intermediate results before the search is complete. I want the alert generated only the search is complete in 60 min. I couldn't figure out to create a search only shows the final overall average for FailRate for the alert.

Any help is appreciated.

Thanks

Tags (1)
0 Karma
Reply

asimagu
Builder
‎06-25-2013 08:15 PM

maybe you could try adding a where clause at the end and then firing the alert if it finds an event

| where FailRate > 0,1

0 Karma
Reply

jimtan
New Member
‎06-26-2013 10:55 AM

Thanks, I have tried everything I know and it doesn't work because the alert gets triggered multiple times before of the immediate results from the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...