Hello,
I have a query like so:
source=“some-source.log” MySearchQuery | stats count by user, host_name
which produces results like:
user host_name count
user1 host_name1 5
user2 host_name2 6
user1 host_name3 9
user3 host_name1 3
user3 host_name3 4
My question is: how can I write a query to fire an alert when the sum of count for any user in the above table is greater than 10, e.g user1 here.
Option 1:
source=“some-source.log” MySearchQuery
| stats count by user, host_name
| eventstats sum(count) as total_user by user
| where total_user > 10
Then click on save as > alert
Option 2:
source=“some-source.log” MySearchQuery
| stats count by user, host_name
| stats sum(count) as total_user, values(host_name) as host_name by user
| where total_user > 10
Then click on save as > alert
Hope that helps.
Regards,
J
Option 1:
source=“some-source.log” MySearchQuery
| stats count by user, host_name
| eventstats sum(count) as total_user by user
| where total_user > 10
Then click on save as > alert
Option 2:
source=“some-source.log” MySearchQuery
| stats count by user, host_name
| stats sum(count) as total_user, values(host_name) as host_name by user
| where total_user > 10
Then click on save as > alert
Hope that helps.
Regards,
J
Works so well. Thanks.
Thanks, accepted the answer. Just another question related to the table in question. Is there a way to attach all of the users' list in the email? Currently, I am using $result.user$ which only picks up the first user.
You should be able by triggering results only once instead of by result and also including an inline table in your email.
See pictures below and hope that helps.