How to create a single alert to trigger only when a threshold is passed by a single index, not all indexes combined?

Path Finder

Hi everyone,

I'm trying to write an alert, covering all indexes, that triggers when a specific number (say, 50) of events occur. However, I only want the alert to trigger if all 50 events are in the same index, not, for example, 40 in one index and 10 in another. Is there a way to specify this in the search string, or would I need to have a different alert for each index?

0 Karma


Hi khagan, you can do:

<your search> | stats count by index

And then through the gui (or savedsearches), you can make a custom alert to only trigger when one of the counts is > 50, but still display all of the counts.

alt text

0 Karma

Revered Legend

Will something like this would work

| tstats count WHERE index=* by index | where count>50
0 Karma


the problem is that this query return only the number of every index, if it's higher than 50, I need something like:

  sourcetype=windows  EventId=X status=Y earliest=-5m | stats count by EventID | where count>5 | search tstats count WHERE index=* by index|  where count>0

Basically I need to execute the first part of the query, for all the indexes, but I need to display separate results for each of the indexes.
Is it possible?

0 Karma