Hi,
Could anyone please assist me in writing a query to check frequency of alert over a 12 month period
for all Alerts starting with FD so FD*
Example alert names is FD_GHH_LTR,FD_GHH_TCP etc.
Query => index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD* | timechart count by alert
Thanks Yannk will give this a go.
you are almost good, just add a span of time
index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD*
| timechart span=1month count by alert
if you have more than 10 types of alerts, you can add a higher limit
index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD*
| timechart span=1month count by alert limit=30
If you do not really care about the alert name, and just want to count the total
index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD*
| timechart span=1month count
Finally, if you want the results as a table not as a timechart, use stats
index=ALL_Alerts sourcetype=test_source host=5d5d alert=FD*
| bucket _time span=1month | stats count by _time alert