Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an alert to trigger if the value stored in a CSV file increases by 5?

manja054
Explorer
‎07-20-2015 03:48 AM

Saved search:

 sourcetype=*    | timechart last(Cnt) as CurrentQueueLength span=5m | Where CurrentQueueLength>0 | table CurrentQueueLength | outputcsv ABC

CSV:
CurrentQueueLength
15

If the value increases by 5 (Value to be taken from CSV file), I need to trigger an alert ( cond=CurrentQueueLength+5).

0 Karma
Reply

woodcock
Esteemed Legend
‎07-20-2015 07:18 AM

I don't get your search: it could return more than 1 value or no values! You should probably do something like this:

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | outputcsv ABC

Then schedule the following search as an alert that triggers when "# events > 0" and runs 1 minute before the first one runs (just before the value is overwritten):

earliest=-5m@m sourcetype=* | stats latest(Cnt) as CurrentQueueLength | append [|inputcsv ABC | rename CurrentQueueLength AS PrevQueueLength] | eval delta = CurrentQueueLength - PrevQueueLength | where delta > 5

Also, you might consider using avg but definitely don't use last because it does the opposite of what you think it does (earliest value), which is why I switched it to latest.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...