Hi,
I have a periodic search looking for a specific pattern in the logs and assign status to the result:
...|eval status=if(count=0,"not found","found")
Is there a way to raise an alert only in the case that the latest search's status value differs from the status returned by the previous one?
I mean, without having two alerts set with different triggers, but based on the same search (which will need to be run twice in this case).
Thank you vganjare,
You gave me the direction which actually led me to an idea to enable summary indexing on this search.
This way I can compare current result with the latest indexed (i.e. previous).
Thank you vganjare,
You gave me the direction which actually led me to an idea to enable summary indexing on this search.
This way I can compare current result with the latest indexed (i.e. previous).
Hi,
You can use lookups for storing the intermidiate status. Compare the intermidiate result (from lookup) against the current search results. Accordingly, alearts can be triggered.
Thanks!!