I am assuming that you want to have alerts for below time stamp according to your log data.

time      cnt  difference
1:00:00  1             1               Alert
1:05:00  1             0     
1:10:00  2             1               
1:15:00  2             0
1:20:00  3             1               
1:25:00  5             2               Alert
1:30:00  5             0                 
1:35:00  6             1               Alert  
1:40:00  10            4               Alert

Try this;

...your search...|eval condition=if(cnt=1) OR (cnt>4),1,0)|eval condition1=if((difference>0),1,0)|eval condition2=if((condition=1) AND ((condition1=1),1,0)|table _time,cnt,difference,condition2

Then go to alert menu for this alert;

Alert condition -> select "if custom condition is met"
go to custom condition-> search condition2="1"

Cron:*/15 * * * *

Hope it is ok now.

Thanks

Gokhan

Thanks ..but it doesnot resolve my query.

my log looks like this

1:00:00 1
1:05:00 1
1:10:00 2
1:15:00 2
1:20:00 3
1:25:00 5
1:30:00 5
1:35:00 6
1:40:00 10

i should not trigger the 2nd alert till the cnt>=5 how to i say my alert to not to trigger until the cnt=5

Thanks for the answer. But this is not i am looking for.

after triggering the 1st alert it as to trottle until the count becomes count >=5

Hi ,

As I understood you have data like;

cnt difference
10 0
15 5
19 4

What I understood is you want to trig if difference<0 but do not trig until difference reach 5.

Here is the new logic:

....|timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3|eval condition1=case(BADCODES<2,"smallerthantwo",BADCODES>5,"biggerthanfive")|eval condition2=if((condition1="smallerthantwo") OR (condition1="biggerthanfive"),1,0)| table _time,BADCODES,condition1,condition2

Now, If condition2="1" on your table, you can rise an alarm.

Cron:*/15 * * * *

Hope it ok

Thanks

Gokhan