I'm trying to convert this Search into an alert
index=cj t=* earliest=-60m | eval myfield=case(t >= .051, "Over", t <= .050, "Under") | timechart count by myfield | eval Total=Over+Under |eval OverPerc=100*Over/Total | eval UnderPerc=100*Under/Total | fields Total Under UnderPerc Over OverPerc
i've tried searchtimespanminutes but the output still shows in like 5 second increments.
I want to add ... |where OverPerc>= .1
But want it to be over say a 10 minute period, I want OverPerc to not exceed .1 over a given timeframe, even in real time, it should not alert if it's only matched one result, it should wait until it loads the 60 minutes or 10 minutes, or 5 minutes of data to make the match.
Thanks
... View more