I want to raise an alert when the topmost field changes..
my weblog | implication prefix=geo client | time chart span=15m count by geoCountry
the above command gives several countries..but I only want one country (similar to top limit=1)
however timechart command doesn't seem to work with top command..
I want to monitor over a span of 15 min to see if the top requests from a country changes..
Give this a try (assuming you run the search for last 30 mins)
my weblog | implication prefix=geo client | eval period=if(_time>=relative_time(now(),"-15m"),"current","previous")
| stats count by period geoCountry | sort period -count | dedup period | stats values(geoCountry) as geoCountry | where mvcount(geoCountry)=2
This will return results if the top country for current (last 15 min) and previous (15 mins prior to last 15 min) period is different (last stats gives two values)
can you add something like:
|sort 0 _time - count|streamstats count as topCountry by _time|search topCountry=1
the streamstats should count 1,2,3,4.... for each country in order of highest to lowest count every 15 minute interval and then you search for the ones equal to 1 to get the top.