Solved: Custom alert condition

ranjani · ‎01-29-2014

I want to compare the results from latest 4 hrs today with the results from the same time yesterday and want to set an alert if today's result drops by 20 percent.

My search string is:

index="abcd" earliest=-28h latest=-24h | stats count as prevday |
append [ search index="abcd" earliest=-4h latest=now | stats count as currday] | eval diff = (abs(prevday - currday)/prevday)*100

Using this search string I could store the results in respective variables prevday and currday.. But I could not successfully set an alert by mentioning the custom condition diff > 20. Where am I doing a mistake? What do I need to specify in alert condition so that I will get an alert if diff > 20 ?

martin_mueller · ‎01-29-2014

By using append you're getting two rows in your result, while eval will operate on each row individually. Put this before your eval:

... | stats first(prevday) as prevday first(currday) as currday | ...

That will collapse the two rows into one, letting eval see both columns properly.

View solution in original post

martin_mueller · ‎01-29-2014

By using append you're getting two rows in your result, while eval will operate on each row individually. Put this before your eval:

... | stats first(prevday) as prevday first(currday) as currday | ...

That will collapse the two rows into one, letting eval see both columns properly.

ranjani · ‎01-30-2014

Oh cool. This really worked for me. Appreciate your help 🙂

Custom alert condition

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio