I want to trigger an alert only when the results are changed. The frequency of my alert is 15 mins, So the next Alert that I must get only when the the message is different
I'm trying to compare the current Index results with previous results using Lookup but How to compare these messages?
earliest=-60m@m index=* fail
| rex field=_raw ": (?P.*)"
| stats earliest(_time) as Earliest, latest(_time) as Latest, count by Error
| eval Earliest=strftime(Earliest, "%F %T"), Latest=strftime(Latest, "%F %T")
| table Earliest, Latest, Error, count
|append
[| inputlookup test.csv
]
I want to compare the Error field and return results only if current Error field is different
... View more