Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Alerting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to set up an alert to trigger when the sea...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:30 AM
I want Splunk to notify me when the result increase is more than 20% for the week. For example:
When C2 is more than 20% greater than C1 and C1 20% greater than C0.
Can alert me, changing color, can be anyway.
Thank you!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
09:49 AM
If you want to be alerted on the chart itself, try this
your current search | delta YourField as delta | eval var=delta/YourField *100 | eval var=if(var>=20, var, 0) | fields - delta
You can then add the var field as an overlay with View as Axis = On
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
09:49 AM
If you want to be alerted on the chart itself, try this
your current search | delta YourField as delta | eval var=delta/YourField *100 | eval var=if(var>=20, var, 0) | fields - delta
You can then add the var field as an overlay with View as Axis = On
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:53 AM
returned: Error in 'delta' command: Invalid argument: 'delta'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:56 AM
search:
index=ricoh | table pkNmArq, "Total K Ink Usage _cc",Jobname, date_month , PaginasA4Ricoh, "Total C Ink Usage _cc","Total Y Ink Usage _cc","Total M Ink Usage _cc", custoRicohMlColor, custoRicohMlBlack, _time |
join type=inner max=0 pkNmArq [search index=cmp date_year>=2015 idEtapa=3 CentroImpressao="Alphaville" Maquina="*IP5000_1*" OR Maquina="*IP5000_2*" ClienteAplicacao="TELECOMUNICAÇÕES DE SÃO PAULO S/A (TELESP) - FATURA AUTOENVELOPADA A3 - AT*" |
table pkNmArq, FormatoPapel, ClienteERP, TipoProduto, ClienteAplicacao,PaginasA4CMP, _time] |
eval chaveRicoh = _time+";"+Jobname+";"+PaginasA4Ricoh |
dedup chaveRicoh |
search PaginasA4Ricoh>=1000 |
eval CustoTotal= (('Total K Ink Usage _cc'*custoRicohMlBlack) +
('Total C Ink Usage _cc'*custoRicohMlColor) +
('Total Y Ink Usage _cc'*custoRicohMlColor) +
('Total M Ink Usage _cc'*custoRicohMlColor)) |
fillnull value=0 |
eval CustoMilheiro=((CustoTotal/PaginasA4Ricoh)*1000) |
eval Tipo= if( TipoProduto="AUTOENVELOPADO","AUTOENVELOPADO","INSERIDO") |
eval Produto = ClienteAplicacao."-".Tipo |
timechart span=1week avg(CustoMilheiro) by Produto |
streamstats values(CustoMilheiro) as prev | eval prev=coalesce(prev,CustoMilheiro) | where CustoMilheiro>(1.2*prev)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
10:32 AM
Well, you have a by clause 🙂 Try this
index=ricoh | table pkNmArq, "Total K Ink Usage _cc",Jobname, date_month , PaginasA4Ricoh, "Total C Ink Usage _cc","Total Y Ink Usage _cc","Total M Ink Usage _cc", custoRicohMlColor, custoRicohMlBlack, _time |
join type=inner max=0 pkNmArq [search index=cmp date_year>=2015 idEtapa=3 CentroImpressao="Alphaville" Maquina="IP5000_1" OR Maquina="IP5000_2" ClienteAplicacao="TELECOMUNICAÇÕES DE SÃO PAULO S/A (TELESP) - FATURA AUTOENVELOPADA A3 - AT*" |
table pkNmArq, FormatoPapel, ClienteERP, TipoProduto, ClienteAplicacao,PaginasA4CMP, _time] |
eval chaveRicoh = _time+";"+Jobname+";"+PaginasA4Ricoh |
dedup chaveRicoh |
search PaginasA4Ricoh>=1000 |
eval CustoTotal= (('Total K Ink Usage _cc'*custoRicohMlBlack) +
('Total C Ink Usage _cc'*custoRicohMlColor) +
('Total Y Ink Usage _cc'*custoRicohMlColor) +
('Total M Ink Usage _cc'*custoRicohMlColor)) |
fillnull value=0 |
eval CustoMilheiro=((CustoTotal/PaginasA4Ricoh)*1000) |
eval Tipo= if( TipoProduto="AUTOENVELOPADO","AUTOENVELOPADO","INSERIDO") |
eval Produto = ClienteAplicacao."-".Tipo |
| bin span=1week as time
| stats avg(CustoMilheiro) as average by time Produto
| streamstats range(average) as delta by Produto
| eval var=delta/average*100
| eval var=if(var>=20, var, 0)
| chart values(average) as average values(var) as var over time by sourcetype | rename count:* as *-count var:* as *-var
| eval time=strftime(time, "%m/%d/%y")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
07-07-2016
10:33 AM
Overlay all the var fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
10:43 AM
Got it,
But...
Returned: Error in 'bin' command: Invalid argument: 'time'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-07-2016
09:39 AM
Try like this
your current search producing above timechart | streamstats values(PutYourFieldName) as prev | eval prev=coalesce(prev,PutYourFieldName) | where PutYourFieldName>(1.2*prev)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanprado96
Path Finder
07-07-2016
09:56 AM
returned: No results found.
search:
index=ricoh | table pkNmArq, "Total K Ink Usage _cc",Jobname, date_month , PaginasA4Ricoh, "Total C Ink Usage _cc","Total Y Ink Usage _cc","Total M Ink Usage _cc", custoRicohMlColor, custoRicohMlBlack, _time |
join type=inner max=0 pkNmArq [search index=cmp date_year>=2015 idEtapa=3 CentroImpressao="Alphaville" Maquina="*IP5000_1*" OR Maquina="*IP5000_2*" ClienteAplicacao="TELECOMUNICAÇÕES DE SÃO PAULO S/A (TELESP) - FATURA AUTOENVELOPADA A3 - AT*" |
table pkNmArq, FormatoPapel, ClienteERP, TipoProduto, ClienteAplicacao,PaginasA4CMP, _time] |
eval chaveRicoh = _time+";"+Jobname+";"+PaginasA4Ricoh |
dedup chaveRicoh |
search PaginasA4Ricoh>=1000 |
eval CustoTotal= (('Total K Ink Usage _cc'*custoRicohMlBlack) +
('Total C Ink Usage _cc'*custoRicohMlColor) +
('Total Y Ink Usage _cc'*custoRicohMlColor) +
('Total M Ink Usage _cc'*custoRicohMlColor)) |
fillnull value=0 |
eval CustoMilheiro=((CustoTotal/PaginasA4Ricoh)*1000) |
eval Tipo= if( TipoProduto="AUTOENVELOPADO","AUTOENVELOPADO","INSERIDO") |
eval Produto = ClienteAplicacao."-".Tipo |
timechart span=1week avg(CustoMilheiro) by Produto |
streamstats values(CustoMilheiro) as prev | eval prev=coalesce(prev,CustoMilheiro) | where CustoMilheiro>(1.2*prev)
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...
Detecting Remote Code Executions With the Splunk Threat Research Team
REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...
Observability | Use Synthetic Monitoring for Website Metadata Verification
If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...
