Hi all,
I'm trying to trigger an alert when an ID occurs more than 10 times in an hour and alert should be in a table format. This is the search I'm using:
index="abc"|stats count by ID|where count>10| table count ID TIME MACHINE NAME
In your search, the only fields available after the stats command will be count and ID. You need to include the other fields as well. Try something like this
index="abc"|bin span=1h _time as Time | eventstats count AS occurrence by Time ID|where occurrence >10| table count ID Time MACHINE NAME
In your search, the only fields available after the stats command will be count and ID. You need to include the other fields as well. Try something like this
index="abc"|bin span=1h _time as Time | eventstats count AS occurrence by Time ID|where occurrence >10| table count ID Time MACHINE NAME