Hi Splunk Community, I need to create an alert that only gets triggered if two conditions are met. As a matter of fact, the conditions are layered:
Search results are >3 in a 5-minute interval.
Condition 1 is true 3 times over a 15-minute interval.
I thought I would create 3 sub-searches within the search and output the result in a "counter" and I would, then, run a search to identify if the "counter" values are >3:
index=foo mal_code="foo" source="foo.log"
| search "{\\\"status\\\":{\\\"serverStatusCode\\\":\\\"500\\\"" earliest=-5m@m latest=now
| stats count as event_count1
| search "{\\\"status\\\":{\\\"serverStatusCode\\\":\\\"500\\\"" earliest=-10m@m latest=-5m@m
| stats count as event_count2
| search "{\\\"status\\\":{\\\"serverStatusCode\\\":\\\"500\\\"" earliest=-15m@m latest=-10m@m
| stats count as event_count3
| search event_count*>0
| stats count as result
I am not sure my time modifiers are working correctly, but I am not getting the results I expected. I would appreciate if I could get some advice on how to go about this.
... View more