Hello,
I believe this does not give me what I want but it does at the same time. After events are indexed I'm attempting to aggregate per host per hour for specific windows events.
More specifically I don't see to see that a host isn't able to log 17 times within 1 hour. One alert during that period of time is what I'm looking for.
index=wineventlog EventCode=521 OR EventCode=4617 |bucket _time span=1h | chart count by host
This shows me a total of the alerts that took place within an hour but doesn't necessarily aggregate if I wanted to make an alert for it unless I'm mistaken.
Regards
Try something like
index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h count by host
or
index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h sum(eval(EventCode=521)) as 521 sum(eval(EventCode=4617)) as 4617 by host
Are you trying to make a search you can schedule to run once every hour and alert if the total count of events in that hour for a given host exceeds a threshold? Or do you want to make a table of host many events per host were seen each hour and then only retain the rows where the count exceeded a threshold? It would help a lot to know your end goal.
End goal is instead of having 17 alerts on the same host for the same event (in this case, unable to log) I just want 1 alert for all 17 events based on :insert host:.
So for instance.
If host x,y and z fire this alert I would want three alerts because the host is different and not because the alert simply fired again.
There is no threshold more like an aggregation of the events over the course of an hour so that only 1 alert fires.
Sorry for not being more specific.
In the meantime, you could try the following searches to see if they are showing you what you want:
index=wineventlog EventCode=521 OR EventCode=4617
| bin span=1h _time
| stats count by _time, host
or
index=wineventlog EventCode=521 OR EventCode=4617
| bin span=1h _time
| chart count by _time, host