2

Is it possible to implement count() MTS based on condition?

For instance: We need to monitor the amount of time RDS CPU picks the point of 95% for the last 3 days.

A = data('CPU_Utilization').count(...when point > 95%). 
detector(when(A > {number_of_times_breached}, lasting='3d')).publish(...)

Update.

Solution was found by my colleague:

A = data('CPU_Utilization').above({condition_value}, inclusive=True).count(...)
calm27
  • 145
  • 6
  • I'm looking for a way to evaluate a condition in signalfx too, were you able to find a solution? – S.Dan Jan 30 '23 at 06:23

1 Answers1

1

You can use eval() with boolean result inside count() in your SPL query.

Something like

| <your search> | stats count(eval(point>0.95))
PM 77-1
  • 12,933
  • 21
  • 68
  • 111
  • approach is good, but i can't find any reference from documentation to eval() function. Could you share one, pls? – calm27 Jun 23 '22 at 13:35
  • 1
    https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Search/Usestatswithevalexpressionsandfunctions – PM 77-1 Jun 23 '22 at 14:08
  • i see, sadly this function is a part of splunk query, but not sfx plugin. i found another approach, will update the post with a solution if will be needed one day. – calm27 Jun 23 '22 at 14:13
  • Add your own solution as an answer and accept it. – PM 77-1 Jun 23 '22 at 16:29