Hi
This is my search query-source=***************************************** | table ORDERID "Delay(in days)"
This is the result of the search query
ORDERID Delay(in days)
1 269150751 4.00
2 269126721 7.00
3 269157489 21.00
4 269153074 114.00
5 269159590 217.00
6 269110381 118.00
7 269163859 24.00
I want to create Alerts for those ORDERIDs whose Delay is greater than 100.
Please tell what type of alert i should select and important parameters
You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert
In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".
It sends an e-mail with the delayalert which ORDERID is taking more than 100days
The above one sends an e-mail only when the ORDERID is more than 100. otherwise it do't send the e-mail. If u want the e-mail to be sent always irrespectibe of the status, schdule the e-mail.
You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert
In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".
It sends an e-mail with the delayalert which ORDERID is taking more than 100days
You can add a filter to your search to only show those ORDERID's that are more than 100 days delayed.
your base search | where "Delays (in days)">100|table ORDERID "Delays (in days)"
Then set a schedule for the search and alert condition "always". This will be more like a scheduled report than an alert.