It is not far, but this solution returns all the events in 5min windows. I need to see only the events in the past 5min. In example if I do that :
(search) | bucket _time span=5m | stats count by user,host,_time | search count>4 | sort -_time | head 1
I have one event but from yesterday at 22h PM, so if I schedule this search every 5min, Nagios will receive plenty alerts for this event.
I need to see if there is an event in the past 5min or not. If there is, I create an alert, if not everything is okay.
... View more