One of our application logs prints the queue size for multiple users. Also, the same application is running on multiple hosts, the logs that we are indexing through contains queuesize info for multiple users across multiple hosts. Also, since the queuesize and user names are not standard values, I've re-named them within the query.
The below search string lists the queuesize data according to the user and host. I wished to setup an alert only when the queuesize for any user on any node goes above 1000. I've tried using "where" clause but that does not work for some reason. Here is the sample query and the sample output -
host="*event*" AND "Queue size for" | stats first(field19) as QueueSize by field17, host | rename field17 as User, field19 as QueueSize | sort -QueueSize, User
Gives me this:
Client host QueueSize
A Server1 0;
A Server2 0;
B Server1 0;
B Server2 0;
C Server1 0;
C Server2 0;
D Server1 0;
D Server2 0;
I want to be able to alert when the queuesize for any user on any server goes above 1000
... View more