This may be confusing, so I'll try to explain it as best as I can. I've got a search that looks for servers that get marked down by the load balancer in a 1 minute time frame, and de-duplicates the IP's. I am then alerted if the number of IP's is greater than a certain number. My search is as follows:
sourcetype=syslog service down | dedup HostIP
This search works great over the realtime 1 minute rolling window. What I'd like to do though is search back historically and see when there were 3 or more unique HostIPs in a 1 minute window.
I tried searching with something like this:
sourcetype=syslog service down | bucket _time span=1m | stats count by _time
And that sort of works, but I can't get the dedup to work for each 1 minute interval, instead it dedup's the entire time range, which isn't what I want.
Any ideas?
Couldn't you just use dc
instead of count
in your stats
command?
sourcetype=syslog service down | bucket _time span=1m | stats dc(HostIP) by _time
Couldn't you just use dc
instead of count
in your stats
command?
sourcetype=syslog service down | bucket _time span=1m | stats dc(HostIP) by _time