Can someone tell me or point me in the direction of setting up an alert based on the value of a field. Basically the field is an integer indicating some queue size and if it goes above some threshold I would like an alert/email be sent out.
I think you want to do something like this.
index=this_index query_terms_here | stats count by value | where value>10
Then just set your alert to trigger when # of events is greater than 0.
index="Windows" sourcetype=WinEventLog:Security | stats count by host | where host>100
Then set your alert.