Hello,
I'm calculating percentage of x events per month and I also put them into alert mode and set mail notifications - so that works now. The problem is I would like to configure it so that mail appears only when percentage of x events reaches 99,99% per month and never appears again - next time when I will receive mail in would be for a next month and so on... Is it possible to configure? Because I'm getting mails every day now, because the event matches every day...
Thank you in advance and have a nice day,
David
It sounds to me that you might be looking for Alert Throttling ?
I will try that too, thank you! 🙂
Have you got the details for your alert i.e your search string?
If you want it to run once every month you could try a scheduled alert.
index="january" OR index="february" OR index="march" OR index="april"| eval Month=strftime(Month,"%Y-%m-%d") | where Percentage >= "0.9999"| eval Percentage=Percentage*100| eval Percentage= substr(Percentage, 1, len(Percentage)-2)| eval Percentage1= replace(Percentage,".",",")| eval "Percentage"=Percentage."%"|eval Percentage= replace(Percentage,".",",")| table Month Percentage| dedup Month
For now result is Month=2015-01-01 and Percentage=99,99%..... Ok, so i got that mail and don't want to receive it till 99,99% appears in February... Actually 99,99% in month can appear few months from now or can appear tomorrow...
Hello, i read your comment above and i think that this may help:
Search query:
index="january" OR index="february" OR index="march" OR index="april"| eval Month=strftime(Month,"%Y-%m-%d") | where Percentage >= "0.9999"| eval Percentage=Percentage*100| eval Percentage= substr(Percentage, 1, len(Percentage)-2)| eval Percentage1= replace(Percentage,".",",")| eval "Percentage"=Percentage."%"|eval Percentage= replace(Percentage,".",",")| table Month Percentage| dedup Month
Save it as an Alert.
Title: your alert Title
Alert Type: Real Time
Trigger Condition: Number of Results
Trigger if Number of Results is **: Greater than 0
**in : 30 days
click on next
....
Thanks
I'd avoid Real Time alerts for this, since each such alert is a real-time search that uses up a lot of CPU.
Run it as Scheduled, every minute, instead. That's near-real-time enough for most email alerts.
That is true,
Title: your alert Title
Alert Type: Scheduled
Timerange: Run Every month
Schedule on day: choose the day
Trigger Condition: Number of Results
Trigger if Number of Results is : Greater than 0
...
Then add in throttling for 30 days.
But the only problem with this is not every month has 30 days