Hi everyone,
I'm trying to write an alert, covering all indexes, that triggers when a specific number (say, 50) of events occur. However, I only want the alert to trigger if all 50 events are in the same index, not, for example, 40 in one index and 10 in another. Is there a way to specify this in the search string, or would I need to have a different alert for each index?
Will something like this would work
| tstats count WHERE index=* by index | where count>50
the problem is that this query return only the number of every index, if it's higher than 50, I need something like:
sourcetype=windows EventId=X status=Y earliest=-5m | stats count by EventID | where count>5 | search tstats count WHERE index=* by index| where count>0
Basically I need to execute the first part of the query, for all the indexes, but I need to display separate results for each of the indexes.
Is it possible?