Hi,
I am interested in alerting on the following scenario:
A "generate" event occurs and a "delete" event is not seen in the next 10 min.
Right now I have something similar to the following:
index=myindex type=generate OR type=delete | get a consistant field from both event types | transaction field | search eventcount < 2 | table field 1,2,3
I am generating false positives in the following scenario:
Alert runs over data from 1pm-2pm, the generate event happened at 1:55 and the delete at 2:01, this is valid in the 10 min window but the search as I have it will trigger an event.
Is there a better way to go about this maybe using map or a subsearch?
Thanks!
... View more