I have to create an alert based on the number of the events I need to define the criticality and include that in the subject of the alert. But, I am using eventstats command in my search. So, I am not able to use the fields in the alert subject or body. Please provide an alternative.
Base query
| eval counter=case(
(time_taken > 90000), "Count_90",
some switch cases
(time_taken > 4000), "Count_4"
)
| eventstats count(eval(match(counter,"Count_90"))) as "Counter_90" count(eval(match(counter,"Count_60"))) as "Counter_60" count(eval(match(counter,"Count_30"))) as "Counter_30" count(eval(match(counter,"Count_20"))) as "Counter_20" count(eval(match(counter,"Count_15"))) as "Counter_15" count(eval(match(counter,"Count_10"))) as "Counter_10" count(eval(match(counter,"Count_4"))) as "Counter_4"
| eval criticality = case(
(Counter_90>5), "Critical-90s",
Some switch cases
(Counter_04>24), "Critical-4s",
(Counter_4>11 AND Counter_4 <= 17), "Warning-4s"
)
| table criticality,Time,host,c_ip,cs_uri_stem,s_ip,s_port,sc_status,sc_substatus,time_taken
... View more