topic Re: How to get an alert only when the count is continuously 0 for consecutive 5 minutes? in Alerting

How to get an alert only when the count is continuously 0 for consecutive 5 minutes?

sahil237888 — Tue, 14 Aug 2018 18:16:53 GMT

I want to run a query for every 10 minutes timeframe. But it should alert only when count is continuously 0 for consecutive 5 minutes.

Re: How to get an alert only when the count is continuously 0 for consecutive 5 minutes?

livehybrid — Tue, 14 Aug 2018 18:31:37 GMT

So, schedule a search that runs every 10 minutes that does this:
index=main | timechart span=1m dc(src_ip) as testCount | eval error=IF(testCount>0, 1, 0) | streamstats window=5 sum(error) as errorSample | eval alert=IF(errorSample>=5,"ALERT","OKAY")

Re: How to get an alert only when the count is continuously 0 for consecutive 5 minutes?

sahil237888 — Thu, 16 Aug 2018 19:08:40 GMT

After 5 , it is not restting the counter.
The counter should be 0 after 5.

Re: How to get an alert only when the count is continuously 0 for consecutive 5 minutes?

sahil237888 — Fri, 17 Aug 2018 13:50:13 GMT

_Time Count Counter
17-08-18 8:09 100 0
17-08-18 8:10 500 0
17-08-18 8:11 81 0
17-08-18 8:12 20 0
17-08-18 8:13 56 0
17-08-18 8:14 0 1
17-08-18 8:15 0 2
17-08-18 8:16 0 3
17-08-18 8:17 0 4
17-08-18 8:18 0 5
17-08-18 8:19 789 0
17-08-18 8:20 5 0
17-08-18 8:21 0 1
17-08-18 8:22 0 2
17-08-18 8:23 0 3
17-08-18 8:24 86 0

Here basically the query should check within 10 minutes timeframe.
and If there is continuously 0 in continuous 5 minutes, It should increase counter value to +1 with every occurrence of 0 continuously. The counter will be reset to 0 if there is no 0 in count column.

and should send alert that there is continuous 0 in continuous 5 minutes (it should also show the result at the time the count was 0.