SachinKakkar
Reputation: 85
Splunk Alert - custom trigger condition - trigger alert if percentage failure increase by 1% in last 15 minutes
I am trying to send alerts if in last 15 minutes failureThreshold increases by 1%, Following is the Splunk query that returning percentage failureThreshold:
index=*apiGateway* Consumer=* ServiceName=creditcard.* host=*gateway* HTTPStatus=* earliest=-15m@s
| stats count as Total count(eval(HTTPStatus > 499)) as Failure
| eval failureThreshold=Failure*100/Total
| table failureThreshold
from Alert window - I am running this query after every 5 minutes and choose custom trigger condition, need suggestions how to check condition failureThreshold > 1
Upvotes: 0
Views: 2069
Answers (1)
RichG
Reputation: 9926
I've found it easier and more reliable to put the alert threshold in the search and have the alert trigger when the number of results is not zero.
index=*apiGateway* Consumer=* ServiceName=creditcard.* host=*gateway* HTTPStatus=* earliest=-15m@s
| stats count as Total count(eval(HTTPStatus > 499)) as Failure
| eval failureThreshold=Failure*100/Total
| where failureThreshold > 1
| table failureThreshold
Upvotes: 1
Related Questions
- Splunk Alert - setting severity based on duration of events
- Splunk Alert - setting different threshold during the day
- splunk and how to do alerting on the first/last business day
- Alerting in splunk for different thresholds
- Splunk Alert Creation
- Splunk: Schedule alert to run every 10 minutes
- Splunk searching event logs to find values exceeding a given threshold
- Setting up alerts for metrics in Splunk
- Splunk alert based on the search result value
- Set up Splunk alert based on average of a field