sourcetype=marketops_cmva_extract_generator ORA-08103 | stats count | where count >10
I have the above search and I want to know the best way to alert for when I have 10 entries in the last hour
I set a cron in the alert set up to look at last hour and relative time in search for last hour
Seems it won't save when you have a cron and the hour setting in relative time
whats the best way to do this please?
Your query will return results only when the count is > 10 because of the where condition -
sourcetype=marketops_cmva_extract_generator ORA-08103 | stats count | where count >10
Run this for -1h@h to @h
and set the cron as 0 * * * *
condition as number of events > 0
Thanks
What time search period should I use ?
I only want it to alert when >10 of these errors so why use "condition as number of events > 0"?
You already have a condition in your query where count > 10
, so your query will return a result only if count is > 10.
Ok cheers
Great! Please accept the answer and upvote any comment that has helped you arrive at a solution.
You have to run it every hour on top of the hour -
Run this for -1h@h to @h
Make sure you're actually using relative time like -1h
and not real-time like rt-1h
.
For more detailed help do share your actual settings that fail, and what message you get when they fail.