Hi, I'm trying to accomplish the following:
* alert when there is a host that has less than 2 occurences
* alert when the total count is less than 12
index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | addcoltotals labelfield=host
host hostCount
server 1 3
server 2 3
server 3 2
server 4 2
server 5 2
server 6 2
Total 14
How can I validate for each server and total count values just to specify when to trigger the alert?
Regards!
Give this a try
index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | eventstats sum(hostCount) as total | where hostCount<2 OR total<12
Give this a try
index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | eventstats sum(hostCount) as total | where hostCount<2 OR total<12
Just set a custom condition on the alert:
search (host!=Total AND hostCount<2) OR (host=Total AND hostCount<12)
Add this on:
... | eventstats count(eval(host!="Total" AND hostCount<2)) AS Trigger1 last(hostCount) AS Trigger2
Then trigger your alert on "Trigger1>0 AND Trigger2<12"