Greetings
I'm looking to create an alert if a field value consecutively remains above a specific threshold, say 500. For example:
Time Field-1
1310 583
1315 678
1320 300
1325 789
In this example, I would get an alert at 1315 but not at 1320 or 1325 as the value was not above 500 consecutively. Any help in resolving this is greatly appreciated.
Hi @cquinney
Try this:
[your search] |dedup 2 sourcetype |where Field-1>500 |eventstats count|where count>1|table Time Field-1
This will look at the last two consecutive events, and only include them when the value is > 500.
Then eventstats counts how many records you have - more than 1 records, and you get a result
Hi Nickhillscpl,
Thank you for the query, it's not quite giving me the results I'm looking for. I've updated my query to the following:
| makeresults
| stats count by _time
| eval lock_count=case(count>500,"alert")
| search lock_count=alert
| bin _time span=5m
| streamstats count window=2 by lock_alert
Now trying to resolve, if I get two "alerts" in a 5 min time-frame I can generate an alert. Any suggestions?
I found an alternate solution by modifying my query to:
| makeresults
| timechart span=5min count
| eval hour=strftime(_time,"%H:%M")
| streamstats current=f window=2 last(count) as last_count
| table hour count last_count
Then I created an alert condition where count > 500 AND last_count > 500
There are a few ways to go about this and the optimal solution depends on specifics of your data.
Do the events come in every five minutes or is that just an example?
The data currently comes in every 5 mins.