Solved: Re: How do you create an alert which compares two ...

amarpravin · ‎09-12-2018

I have two querys :-

1st Query (this query gives me the total number of counts which match with log "data * is successfully created") :-

index=abc  "Data * is successfully created"  | stats count

2nd Query (this query gives me total message posted to kafka):-

index="abc" ("Data * is successfully posted to kafka topic") | rex "random=(?.*)}]" |  eval nowstring=strftime(now(), "%Y-%m-%d") | stats count

Now I want to create an alert based on 1st and 2nd query count:
E.g. if 1st query count != 2nd query count, trigger an alert.

Could you please help me to create this query ?

HiroshiSatoh · ‎09-12-2018

It is the case when it made it as a search sentence as it is.

(1st Query )
| stats count as count_1
| appendcols 
    [search (2st Query )
| stats count as count_2]
| where count_1!=count_2

HiroshiSatoh · ‎09-12-2018

It is the case when it made it as a search sentence as it is.

(1st Query )
| stats count as count_1
| appendcols 
    [search (2st Query )
| stats count as count_2]
| where count_1!=count_2

How do you create an alert which compares two different query counts?