0

I am new to Splunk so pardon me if my question is too naive. I want to set up a Splunk alert if the average of a field is above a threshold. My search is as follows:

sourcetype="somesourcetype" search phase | stats avg(f1) as Average

If I use 

sourcetype="somesourcetype" search phase | timechart avg(f1) as Average span=1h

I can see the table listing the average of field f1. But with stats avg(f1) I do not get anything under statistics panel and I am not sure how to set up an alert if average of f1 is above 100ms.

fhcat
  • 971
  • 2
  • 9
  • 28

1 Answers1

1

To trigger an alert at a certain threshold, include the threshold in your query then have the alert trigger if the number of results is not zero.

sourcetype="somesourcetype" search phase | stats avg(f1) as Average | where Average > 100
RichG
  • 9,063
  • 2
  • 18
  • 29
  • Thanks. I think the problem now is that this field contains the numeric value and "ms". So it looks like in one event I have f1=50ms, and in another I have f1=120ms. How would I modify the query to remove this "ms" when calculating average? – fhcat Apr 12 '18 at 15:59
  • There are a few ways to do that, but perhaps the easiest is `convert`. Try `... | convert num(f1) | stats ...`. – RichG Apr 13 '18 at 00:53