Alert Setup - Based on percentages

kragav · ‎09-16-2011

Hi 'am trying to setup an alert to trigger based on percentage. But couldn't find the options for the same. Please could you assist me.

For eg:

An alert should trigger if the failure event >=5% of the total events.

Total events = 100
Failure events = 6
Success events = 94

In above case, an alert should be triggered since the failure event is >=5%.

borisalves · ‎09-23-2011

Here is my illustration

I create 2 tags

Bad_End totalParts=0, totalParts=1

Good_End totalParts=2, totalParts=3, totalParts=4

Executing this search on my filtered target

| top tag::totalParts

Returns:

tag::totalParts count percent

1 Bad_End 34 1.816239

2 Good_End 1838 98.183761

I would like to Alert based on Good_End being smaller than 97%

I saved the search and would like assistance with the Custom Conditional search expression that would trigger and Alert.

Drainy · ‎09-16-2011

 | eval percentage=((failureevents/successevents)*100) | where percentage>=5

If you could paste some example data it would be easier to give a more accurate answer 🙂
The above is roughly what you want to be doing to produce a percentage that you could perform an alert on

Alert Setup - Based on percentages

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio