I have a search using timechart
count by [value] and I'd like to set up an alert for when any of the values reach more than 25 results in 30 minutes.
Search:
index=[redacted] ...
| rex field=message "responseCode : (?<response>.*),"
| rex field=message "errorMessageKey : (?<response>.*),"
| timechart span=30m count by response usenull=f useother=f
The response comes back like Application.errorMessage
simple and short string.
How can I achieve this?