{"id":68421,"date":"2022-12-16T14:39:57","date_gmt":"2022-12-16T14:39:57","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=68421"},"modified":"2022-12-16T14:39:57","modified_gmt":"2022-12-16T14:39:57","slug":"answer-by-warren-for-splunk-alert-setting-severity-based-on-duration-of-events","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=68421","title":{"rendered":"Answer by warren for Splunk Alert &#8211; setting severity based on duration of events"},"content":{"rendered":"<p>Try something like this (the threshold is set for 25% on &quot;minor&quot; and 15% on &quot;major&quot; in this example):<\/p>\n<pre><code>index=ndx sourtcetype=srctp earliest=-10m ResponseTime=* request=*\n| stats count by ResponseTime request\n| eval major=if(ResponseTime&gt;2000,&quot;yes&quot;,&quot;no&quot;)\n| stats count(request) as requests by major\n| eventstats sum(requests) as majreqs\n| eval majpct=round(requests\/majreqs*100)\n| append\n    [| search index=ndx sourtcetype=srctp earliest=-5m ResponseTime=* request=*\n    | stats count by ResponseTime request\n    | eval minor=if(ResponseTime&gt;2000,&quot;yes&quot;,&quot;no&quot;) \n    | stats count(request) as requests by minor \n    | eventstats sum(requests) as minreqs\n    | eval minpct=round(requests\/minreqs*100) ]\n| eval minalert=if(match(minor,&quot;yes&quot;) AND minpct&gt;25,1,0)\n| eval maxalert=if(match(major,&quot;yes&quot;) AND maxpct&gt;15,1,0)\n| stats max(maxalert) as ismax max(minalert) as ismin\n| eval severity=if(ismin&gt;ismax,&quot;Major&quot;,&quot;Minor&quot;)\n| fields - i*\n<\/code><\/pre>\n<p>Here&#8217;s a run-anywhere sample (though the major-vs-minor is inverted):<\/p>\n<pre><code>| makeresults \n| eval ResponseTime=&quot;2002,1000,100&quot;, request=&quot;foo,bar,baz&quot; \n| makemv delim=&quot;,&quot; ResponseTime \n| mvexpand ResponseTime \n| makemv delim=&quot;,&quot; request \n| mvexpand request \n| stats count by ResponseTime request \n| eval minor=if(ResponseTime&gt;2000,&quot;yes&quot;,&quot;no&quot;) \n| stats count(request) as requests by minor \n| eventstats sum(requests) as minreqs \n| eval minpct=round(requests\/minreqs*100)\n| append \n    [| makeresults \n    | eval ResponseTime=&quot;200,1000,100,3000&quot;, request=&quot;bar,foo,baz,zap&quot; \n    | makemv delim=&quot;,&quot; ResponseTime \n    | mvexpand ResponseTime \n    | makemv delim=&quot;,&quot; request \n    | mvexpand request \n    | stats count by ResponseTime request \n    | eval major=if(ResponseTime&gt;2000,&quot;yes&quot;,&quot;no&quot;) \n    | stats count(request) as requests by major \n    | eventstats sum(requests) as maxreqs\n    | eval maxpct=round(requests\/maxreqs*100) ]\n| eval minalert=if(match(minor,&quot;yes&quot;) AND minpct&gt;25,1,0)\n| eval maxalert=if(match(major,&quot;yes&quot;) AND maxpct&gt;15,1,0)\n| stats max(maxalert) as ismax max(minalert) as ismin\n| eval severity=if(ismin&gt;ismax,&quot;Major&quot;,&quot;Minor&quot;)\n| fields - i*\n<\/code><\/pre>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/74777615\/splunk-alert-setting-severity-based-on-duration-of-events\/74825902#74825902<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Try something like this (the threshold is set for 25% on &quot;minor&quot; and 15% on &quot;major&quot; in this example): index=ndx sourtcetype=srctp earliest=-10m ResponseTime=* request=* | stats count by ResponseTime request | eval major=if(ResponseTime&gt;2000,&quot;yes&quot;,&quot;no&quot;) | stats count(request) as requests by major | eventstats sum(requests) as majreqs | eval majpct=round(requests\/majreqs*100) | append [| search index=ndx sourtcetype=srctp earliest=-5m &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=68421\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for Splunk Alert &#8211; setting severity based on duration of events<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-68421","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/68421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=68421"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/68421\/revisions"}],"predecessor-version":[{"id":68422,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/68421\/revisions\/68422"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=68421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=68421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=68421"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=68421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}