We want to run an alert like this:
1) index=foo condition=bar | stats count as errors | where errors > 0 AND errors < 1000
2) The alert has an action to send to a mailing list.
3) When we click on the alert, the users should see the actual raw events, not the stats count in the Statistics tab.
4) We also run a script
The reason for the > 0 and < 1000
is that we have other alerts for > 1000 and we do different actions.
The problem I can't solve is that when I set things up, when people click on the link in email, they see the statistics tab and don't see the raw events. They have to rerun in Verbose mode to see the raw events.
If it was just > 0, I could eliminate the stats count and say that the condition is > 0 events and then clicking on the link would get us to the raw events.
Got the answer.
The trick is to use values of _raw and then use mvexpand to make each event on a separate line. The output is sweet.
index=foo condition=bar | stats values(_raw) AS raw count as errors | where errors > 0 AND errors < 1000 | table errors raw | mvexpand raw
Got the answer.
The trick is to use values of _raw and then use mvexpand to make each event on a separate line. The output is sweet.
index=foo condition=bar | stats values(_raw) AS raw count as errors | where errors > 0 AND errors < 1000 | table errors raw | mvexpand raw