I am trying to create an alert which will notify me when the percentage change in the delta/difference of events exceeds 100% (minimum of 10 events as I want to try and eliminate the influence of low numbers on the percentage change, i.e., going from 1 event to 6, etc.)
My search query as follows:
index=indexname earliest=-1h Subject="xzy" SenderAddress="xyz@xyz.edu"
| timechart span=1h partial=false count
| delta count as difference
| eval difference=coalesce(difference,0)
| eval percentDifference =round(abs(difference/(count - difference))*100)
| where (difference > 1 AND percentDifference > 100)
| where count > 10
Just wanted to see if a) there was a more efficient way to run this query and b) confirm that this search should be ran every hour and 10 minutes or so (there is a lag time of the logs flowing in that's about 10 minutes behind).
Thx
You can use index_earliest
and index_latest
to help cover late arriving events.
You can use index_earliest
and index_latest
to help cover late arriving events.
Plugged the following into the query to search for events indexed in the previous hour:
index=indexname _index_earliest=-h@h _index_latest=@h Subject="xzy" SenderAddress="xyz@xyz.edu"
Awesome - thx!