Answer by warren for Splunk Alert – setting severity based on duration of events

Posted on

Try something like this (the threshold is set for 25% on "minor" and 15% on "major" in this example):

index=ndx sourtcetype=srctp earliest=-10m ResponseTime=* request=*
| stats count by ResponseTime request
| eval major=if(ResponseTime>2000,"yes","no")
| stats count(request) as requests by major
| eventstats sum(requests) as majreqs
| eval majpct=round(requests/majreqs*100)
| append
    [| search index=ndx sourtcetype=srctp earliest=-5m ResponseTime=* request=*
    | stats count by ResponseTime request
    | eval minor=if(ResponseTime>2000,"yes","no") 
    | stats count(request) as requests by minor 
    | eventstats sum(requests) as minreqs
    | eval minpct=round(requests/minreqs*100) ]
| eval minalert=if(match(minor,"yes") AND minpct>25,1,0)
| eval maxalert=if(match(major,"yes") AND maxpct>15,1,0)
| stats max(maxalert) as ismax max(minalert) as ismin
| eval severity=if(ismin>ismax,"Major","Minor")
| fields - i*

Here’s a run-anywhere sample (though the major-vs-minor is inverted):

| makeresults 
| eval ResponseTime="2002,1000,100", request="foo,bar,baz" 
| makemv delim="," ResponseTime 
| mvexpand ResponseTime 
| makemv delim="," request 
| mvexpand request 
| stats count by ResponseTime request 
| eval minor=if(ResponseTime>2000,"yes","no") 
| stats count(request) as requests by minor 
| eventstats sum(requests) as minreqs 
| eval minpct=round(requests/minreqs*100)
| append 
    [| makeresults 
    | eval ResponseTime="200,1000,100,3000", request="bar,foo,baz,zap" 
    | makemv delim="," ResponseTime 
    | mvexpand ResponseTime 
    | makemv delim="," request 
    | mvexpand request 
    | stats count by ResponseTime request 
    | eval major=if(ResponseTime>2000,"yes","no") 
    | stats count(request) as requests by major 
    | eventstats sum(requests) as maxreqs
    | eval maxpct=round(requests/maxreqs*100) ]
| eval minalert=if(match(minor,"yes") AND minpct>25,1,0)
| eval maxalert=if(match(major,"yes") AND maxpct>15,1,0)
| stats max(maxalert) as ismax max(minalert) as ismin
| eval severity=if(ismin>ismax,"Major","Minor")
| fields - i*

from User warren – Stack Overflow https://stackoverflow.com/questions/74777615/splunk-alert-setting-severity-based-on-duration-of-events/74825902#74825902
via IFTTT

merikebi