field value occurence treshold

HansK · ‎07-04-2012

I want to create an alert with a certain treshold

I have this query:
host="abc0*" DN=* NOT DN="45643232*" NOT DN="53222455*"

Any time a distinct DN occurs more than 10 times per second I would like to be alerted.

How can I set this up?

rturk · ‎07-04-2012

Using the _internal index, here's the best approximation I can give you (my server name is "Voyager-2"):

index=_internal | timechart span=1s count by host | search Voyager-2>10

So in your case, something like this should do the trick:

host="abc0" DN= NOT DN="45643232" NOT DN="53222455" | timechart span=1s count by host

Then you create an alert based on your saved search that will trigger if the number of results is greater than 10.

Hope this helps 🙂

HansK · ‎07-04-2012

hmm, still alerting when there are 10 occurence of any DN, not when a single DN is >10

rturk · ‎07-04-2012

Ahh in that case, try this:

host="abc0" DN= NOT DN="45643232" NOT DN="53222455" | timechart span=1s dc(_raw) by DN

HansK · ‎07-04-2012

host="abc0" DN= NOT DN="45643232" NOT DN="53222455" | timechart span=1s count by DN

This comes closer than I was, but this will alert if the occurence of DN is higher than 10 per second.

DN can hold many values, I need it to alert when a distinct value occurs more than 10 times per second.

Thanks for helping though