Re: Cron or Time Period

nijwoolley · ‎06-07-2017

sourcetype=marketops_cmva_extract_generator ORA-08103 | stats count | where count >10

I have the above search and I want to know the best way to alert for when I have 10 entries in the last hour

I set a cron in the alert set up to look at last hour and relative time in search for last hour

Seems it won't save when you have a cron and the hour setting in relative time

whats the best way to do this please?

dineshraj9 · ‎06-07-2017

Your query will return results only when the count is > 10 because of the where condition -

sourcetype=marketops_cmva_extract_generator ORA-08103 | stats count | where count >10

Run this for -1h@h to @h

and set the cron as 0 * * * *

condition as number of events > 0

nijwoolley · ‎06-07-2017

Thanks

What time search period should I use ?

nijwoolley · ‎06-07-2017

I only want it to alert when >10 of these errors so why use "condition as number of events > 0"?

dineshraj9 · ‎06-07-2017

You already have a condition in your query where count > 10, so your query will return a result only if count is > 10.

nijwoolley · ‎06-07-2017

Ok cheers

dineshraj9 · ‎06-07-2017

Great! Please accept the answer and upvote any comment that has helped you arrive at a solution.

dineshraj9 · ‎06-07-2017

You have to run it every hour on top of the hour -

Run this for -1h@h to @h

martin_mueller · ‎06-07-2017

Make sure you're actually using relative time like -1h and not real-time like rt-1h.

For more detailed help do share your actual settings that fail, and what message you get when they fail.

Cron or Time Period