Hi,
I'm struggling to create email alert.
My search query:
| rex "Heap:\s(?<HeapNum>[\d\.]+)(?<unit>\w+)" | search HeapNum!=" " | eval HeapNum = case(unit="K",HeapNum/1000,unit="M", HeapNum,unit="G", HeapNum*1000) | eval critical=15000 | table _time HeapNum critical
I want, that when it reaches critical value, it sends email to me.
I created alert, but it doesn't work, can you please help with configuration?
Hi pudanelilita,
try something like this
| rex "Heap:\s(?<HeapNum>[\d\.]+)(?<unit>\w+)"
| search NOT HeapNum=" "
| eval HeapNum = case(unit="K",HeapNum/1000,unit="M", HeapNum,unit="G", HeapNum*1000)
| search HeapNum>15000
| table _time HeapNum critical
Then in the alert's condition put activation when there are results (results>0)
Bye.
Giuseppe
Hi pudanelilita,
try something like this
| rex "Heap:\s(?<HeapNum>[\d\.]+)(?<unit>\w+)"
| search NOT HeapNum=" "
| eval HeapNum = case(unit="K",HeapNum/1000,unit="M", HeapNum,unit="G", HeapNum*1000)
| search HeapNum>15000
| table _time HeapNum critical
Then in the alert's condition put activation when there are results (results>0)
Bye.
Giuseppe
it shows me: No results found.
At first (my error!) replace
| search HeapNum>15000
with
| where HeapNum>15000
if you still have no results, delete the second search and then see what are the values you have for HeapNum to check if the condition is correct.
Bye.
Giuseppe