Hi,
In first alert query it produce a list of ID's which need to be passed to another alert query. will it be possible to implement like this.
First Alert Query:
| tstats values(MXTIMING.ID) as IDmax(MXTIMING.Memory) AS Memory FROM datamodel=MXTIMING_V9 WHERE host=* AND MXTIMING.Memory>5000 GROUPBY source | table ID
| table ID
Second Alert Query:
| tstats max(MXTIMING.Memory) AS VmPeak FROM datamodel=MXTIMING_V9 WHERE MXTIMING.Context+Command="*" AND MXTIMING.ID IN ("ID1" "ID2" "ID3" "ID4" "ID5" ) GROUPBY MXTIMING.Context+Command MXTIMING.Time _time span=1s source
Use a subsearch. Remember that subsearches execute first and pass their results to the parent search.
| tstats max(MXTIMING.Memory) AS VmPeak FROM datamodel=MXTIMING_V9 WHERE MXTIMING.Context+Command="*" AND
[| tstats values(MXTIMING.ID) as MXTIMING.ID max(MXTIMING.Memory) AS Memory FROM datamodel=MXTIMING_V9 WHERE host=* AND MXTIMING.Memory>5000 GROUPBY source
| fields MXTIMING.ID | format ]
GROUPBY MXTIMING.Context+Command MXTIMING.Time _time span=1s source
Use a subsearch. Remember that subsearches execute first and pass their results to the parent search.
| tstats max(MXTIMING.Memory) AS VmPeak FROM datamodel=MXTIMING_V9 WHERE MXTIMING.Context+Command="*" AND
[| tstats values(MXTIMING.ID) as MXTIMING.ID max(MXTIMING.Memory) AS Memory FROM datamodel=MXTIMING_V9 WHERE host=* AND MXTIMING.Memory>5000 GROUPBY source
| fields MXTIMING.ID | format ]
GROUPBY MXTIMING.Context+Command MXTIMING.Time _time span=1s source