Solved: Alert based on sum(time)

aniketb · ‎08-16-2012

Hi,

I have a query for 1 hour as:

"Search String" sourcetype="XX" source="XX" | stats sum(time) by host

I have 2 hosts and i see

host1 28.7
host2 45.9

I need to set an alert if any of these host values reach 100. Any pointers?

BobM · ‎08-16-2012

You can use where to filter the results

"Search String" sourcetype="XX" source="XX" | stats sum(time) as duration by host | where duration >= 100

Or if you wan to keep the smaller results you can set a custom condition in the alert settingss to be

where duration >= 100

BobM · ‎08-16-2012

You can use where to filter the results

"Search String" sourcetype="XX" source="XX" | stats sum(time) as duration by host | where duration >= 100

Or if you wan to keep the smaller results you can set a custom condition in the alert settingss to be

where duration >= 100

aniketb · ‎08-16-2012

Thanks BobM!

Alert based on sum(time)