Thanks for the feedback, I appreciate the insight. I just tried setting the custom value to search Depth<=70, but now I'm getting an alert constantly. I'm wondering if the example I used wasn't close enough. Here is (essentially) my actual query:
sourcetype="engine" Acceptedmessage run | timechart count span="1h" by host | | eval total=Server1+Server2 | eval Test1=(Server1/total)*100 | eval Test2=(Server2/total)*100 | | eval Result1=if(Test1 < 40, "Error", "OK") | eval Result2=if(Test2 < 40, "Error", "OK") | fields Test1, Result1, Test2, Result2
So my resulting timechart shows me what I want - I see the number of Accepted messages per host, and then the percentage of the total that the two servers grabbed. If one falls below 40% I see Error in the timechart, but the alert wasn't generating. When I set the custom condition to: search Error I got alerts continually. Any thoughts?
... View more