How can you write a query to show the "frequency" ...

HenryFitzerald · ‎01-02-2019

Hi,

Could anyone please assist me in writing a query to check frequency of alert over a 12 month period
for all Alerts starting with FD so FD*

Example alert names is FD_GHH_LTR,FD_GHH_TCP etc.

Query => index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD* | timechart count by alert

HenryFitzerald · ‎01-02-2019

Thanks Yannk will give this a go.

yannK · ‎01-02-2019

you are almost good, just add a span of time

index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD* 
|  timechart span=1month count by alert

if you have more than 10 types of alerts, you can add a higher limit

index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD* 
|  timechart span=1month count by alert limit=30

If you do not really care about the alert name, and just want to count the total

index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD* 
|  timechart span=1month count

Finally, if you want the results as a table not as a timechart, use stats

index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD* 
| bucket _time  span=1month  | stats count by _time alert

How can you write a query to show the "frequency" of fired alert names starting with text "FD*"over the year or months in 2018?