I have a .json sample data file which has 700 events and I have done the below search:
index=abc source=json response_code=123 |stats count [all time]
Now I am saving this result as an alert by
save as alert ->realtime->number of results -> greater than 6 ->in 5 minutes
and saved it as email type alert. Then I pushed again some sample data to the file so that it matches the criteria and an alert is generated, but I don't see any alert triggered nor an email. Is there any way we can generate an alert, or it should be real-time data to generate alert?
Looks like you set up the alert to find more than 6 events, but the sample results you showed shows just one line. You can change the trigger to "Custom" instead of "Number of results" and set the condition to "search count > 6"
Hope this helps
And the alert search is a real-time search with time windows of 5 min? Well regardless, after you put "| stats count", the number of results returned is 1, so the alert condition fails...
ok.I actually tried pushing some data into file and set the alert to real time ,but i dont see any alert generated.But when I did a scheduled alert with
earliest time : -5min@min
latest time: now
*/5 * * * *
It generated an alert