I am trying to get the counts of events in a 60 minute timeframe with a span of every 10 minutes, and if the count is less than 80%, it should be compared to the last span of 10 mins, and then trigger an alert .
Is there a way to do this ?
i have following query so far but need help with the other part of question
index="test" | timechart count span=10m
I have selected the timerange for 60mins
I think you want to add the following to your SPL:
| streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)
If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.
Thank you,
Brian
I think you want to add the following to your SPL:
| streamstats current=f last(count) as last_count |eval Percent=if(isnotnull(last_count),round((count-last_count)/last_count*100,2)+100,100)
If that isn't what you want at least the streamstats should get you want you want. and then it is just about doing your calculation.
Thank you,
Brian
Awesome thanks @bkrik. That helped alot