I have this simple search to find out some errors in the logs:
index=cohl source=msmq earliest=-24h@h latest=now "System.Data.SqlClient.SqlException: Timeout expired*" "Servername*" | xmlkv | dedup Machine | stats count by Machine
As a result of this search, I get a table which has one row listing of all the servers and another row listing the count, this count is the number of occurrences of the keyword.
I need to create an alert to send email if, in 15 minutes, the count on any of the servers is more than 10. Any idea on how to do it??
Have your search look back 15 minutes and in spot labeled "Trigger alert when", use the "Custom" action and add :
If, on the other hand, you want to look back 24 hours and get a count for every 15 minutes, try
your base search | bin _time span=15m | stats count BY _time Machine | search count>10
In addition, there's no need to
dedup Machine when you use
stats count BY Machine
I can do that, but my requirement is little bit different.
As I mentioned in my question, each server will have certain number of events and the result of my query will give the list of servers, I want to send an alert when on any of the server the number of occurrences of events is more than 10.
If that's the case, then the first part of my answer is what you want.