How to write condition

yvreddy90 · ‎09-26-2019

(index=logs OR index=audit) AND source="commtasks-logger" AND id=finishedcommtask |stats count by data.succeeded | transpose header_field="data.succeeded" | eval false perc = (f/(f+t))*100 | eval true perc = (t/(f+t))*100

This my query based on this how to write a condition is "false perc >10" trigger alert

Please help me anyone

gcusello · ‎09-26-2019

Hi yvreddy90,
At first you should try your search putting attention to the field names (don't use spaces); false_perc.
Then you have to be sure that "f" and "t" fields have values, so you can calculate the false_perc field.

(index=logs OR index=audit) source="commtasks-logger" id=finishedcommtask 
| stats count by data.succeeded 
| transpose header_field="data.succeeded" 
| eval false_perc=(f/(f+t))*100

then, when you'll be sure of this, at the end of your search you can add the condition:

| where false_perc>10

So if you have results you can trigger the alert.

Bye.
Giuseppe

adonio · ‎09-26-2019

did you try ... | top data.succeeded instead of your ... | stats count ... ?

How to write condition

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio