I currently have a query that aggregates events over the last hour, and alerts my team if events are over a specific threshold. The query was recently accidentally disabled, and it turns out there were times when the alert should have fired but did not.
My goal is apply this alert query logic to the previous month, and determine how many times the alert would have fired, had it been functional. However, I am having a hard time figuring out how best to group these. In pseudo code I basically I would have (running over a 30 day time frame) :
index="some_index" | where count > n | group by hour
Hopefully this makes sense, if not, I am happy to provide some clarification.
Thanks in advance
This should get you started:
index=foo | bin span=1h _time | stats count by _time | where count > n
Related
not sure if I articulated my problem well in the title but let me elaborate here. I need to find where IPs have a daily average count from the past 3 days that is at least 150% larger than a daily average count from the past 7 days. I am looking for spikes in activity based on those two averages. With the way I phrased it, that may sound confusing, but let me show you what I have and why I'm having issues calculating the averages.
| index=blah_blah
| earliest=-7d
| bucket _time span=1d
| stats count by ip _time
| sort ip
| trendline sma3(count) as 3_Day_Average
| trendline sma7(count) as 7_Day_Average
| where 3_Day_Average > 7_Day_Average * 1.5
This provides incorrect averages because if an IP doesn't have a count on a particular day, it won't include that day in the statistics table and it won't be calculated into the average. Instead, it will use a different IP's count to fill in. So if one IP doesn't have a count for 2 of the 7 days for example, then it will take 2 counts from the next IP and calculate that into the average for the original IP that was missing 2 days... I'm hoping that all makes sense. I need the days that don't have counts to still show so that they can be calculated into these averages. If this doesn't make sense to you, feel free to ask questions. I appreciate the help
Instead of stats, try timechart. The timechart command will fill in zeros for spans that have no data.
| index=blah_blah earliest=-7d
| timechart span=1d count by ip
| untable _time ip count
| sort ip
| trendline sma3(count) as 3_Day_Average
| trendline sma7(count) as 7_Day_Average
| where 3_Day_Average > 7_Day_Average * 1.5
I have a search string like below:
index=qrp STAGE IN (ORDER_EVENT)
| bucket _time span=1h
| timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| fillnull value=0
And this is currently giving me aggregates of trades for multiple source systems from the stage table Trade event in a tabular format for every hour of the day.
I need to search exactly for the time frame 8am every day, whether the value of sun of trade for all source systems in the table is equal to zero. How to add the condition to check the column value is Zero or not?
Your help is much appreciated.
You can use the where command to test the value of a field.
... | where TradeCount == 0
One of the things I'm using Splunk to monitor is electricity usage, one of the fields indexed is the accumulative Kw value for the day, how can I get the last value for the day for a given timespan? So output the total Kw for each day for a month - I've tried using
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart last(live_day_kw) as Kw
but for the data I have it seems to be adding each day together so its increasing day on day and not daily values, so for example day1 is 7kw and day2 is 14kw and day3 is 21kw - I'd expect it to be ~7kw a day. Also just checked and the live_day_kw value does reset to zero at midnight
Not quite sure of what you're looking for, but maybe this will help.
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart span=1d last(live_day_kw) as Kw
For the benefit of those looking for the same solution I managed to solve it thus:
host=Electricity earliest=-4w#w1 | timechart latest(live_day_kw) as "Kw_Day" | eval Kw_Day = round(Kw_Day,2)
Also needed the search set to 'month to date' and it get exactly what I needed.
I am trying to build a reminder application using c# and, i want to employee the concept of repeat in my application [no repeat, daily, weekly ... ], but the problem i am facing is that how i shall store this reminder in the database.
I tried to duplicate the reminder and change it's date, but what if it has no end date then this one doesn't seem a very smart idea. And then i tried to keep one record in the database and when ever the date becomes past in case it's a repeated it modify the date to the next one, but here i facing the problem of how i search for reminders in a specific days. I wondered if there is a way that SQL can duplicate a record between two dates temporarily for the search.
So i am almost out of ideas right now, any help?!
I don't think you should change any data dynamically in the reminder records. You should add a variable called "remDayOfWeek" to the database -- this will be the day of the week that the user started if the user is to be reminded weekly. Let's say you scan once a day for users that need reminders. All users with daily reminders will need reminders. For users with weekly reminders, all those with "remDayOfWeek" equal to the current day of the week will get a reminder.
OK what I would suggest, is this:
Don't create individual reminders for each day you need a reminder. Give the DB the reminder, start/end dates, and the periodicity of the check (daily, weekly, monthly), and another column to keep track of the last time the user saw a reminder.
something like:
column: | ID | title | Desc | Start | End | Period | lastCheck |
---------------------------------------------------------------------------------------
type: | INT | varchar(100) | varchar(300)| Date | Date| INT (or Enum)| Date
The whole idea is, if the user skips a day you don't need to remind them twice, and you don't really care about what happened to expired reminders, just the most recent.
Assuming the following:
no-repeat = 0
daily = 1
weekly = 2
monthly = 3
you could pull all the reminders you need for a particular date by using: (assuming SQL Server, you didn't specify)
SELECT * FROM Reminder
WHERE (GetDate() BETWEEN Start AND End)
AND ((Period = 0 AND lastChecked IS NULL)
OR (Period = 1 AND GetDate() > DATEADD(day,1,lastChecked))
OR (Period = 2 AND GetDate() > DATEADD(week,1,lastChecked))
OR (Period = 3 AND GetDate() > DATEADD(month,1,lastChecked)));
If you want the reminder to be 24 hours/1 week/1 month exactly from the last time checked that will be fine. otherwise use CONVERT (date, GETDATE()) to ignore the time the user checked.
Finally, update lastChecked to the current time after the user dismisses a reminder.
I have a Table called SR_Audit which holds all of the updates for each ticket in our Helpdesk Ticketing system.
The table is formatted as per the below representation:
|-----------------|------------------|------------|------------|------------|
| SR_Audit_RecID | SR_Service_RecID | Audit_text | Updated_By | Last_Update|
|-----------------|------------------|------------|------------|------------|
|........PK.......|.......FK.........|
I've constructed the below query that provides me with the appropriate output that I require in the format I want it. That is to say that I'm looking to measure how many tickets each staff member completes every day for a month.
select SR_audit.updated_by, CONVERT(CHAR(10),SR_Audit.Last_Update,101) as DateOfClose, count (*) as NumberClosed
from SR_Audit
where SR_Audit.Audit_Text LIKE '%to "Completed"%' AND SR_Audit.Last_Update >= DATEADD(day, -30, GETDATE())
group by SR_audit.updated_by, CONVERT(CHAR(10),SR_Audit.Last_Update,101)
order by CONVERT(CHAR(10),SR_Audit.Last_Update,101)
However the query has one weakness which I'm looking to overcome.
A ticket can be reopened once its completed, which means that it can be completed again. This allows a staff member to artificially inflate their score by re-opening a ticket and completing it again, thus increasing their completed ticket count by one each time they do this.
The table has a field called SR_Service_RecID which is essentially the Ticket number. I want to put a condition in the query so that each ticket is only counted once regardless of how many times its completed, while still honouring the current where clause.
I've tried sub queries and a few other methods but haven't been able to get the results I'm after.
Any assistance would be appreciated.
Cheers.
Courtenay
use as
COUNT(DISTINCT(SR_Service_RecID)) as NumberClosed
Use:
COUNT(DISTINCT SR_Service_RecID) as NumberClosed