Im currently running an alert, which updates every minute with a range -1m to -2m, for each new log based on unique JOBNAMEs. I want to create an alert each time a new JOBNAME occurs for the first time but not again if the same JOBNAME occurs for a given day.
Dedup is used to remove duplicates and I can use it in order to only have unique JOBNAMES per 24 hour period but this won't only show the first time entry per JOBNAME. I'm thinking I need to do my regular search, with the alert parameters set to every minute, span -1m to -2m, for each result and then NOT that against the results found in the same day based on JOBNAME. Any help/ideas?
Here is the search result for a given day:
index = x [ | inputlookup Jobnames.csv | fields JOBNAME ] JOBNAME DATETIME CIPB0021 2017-07-31 20:41:07.20 -0700 CIPB0024 2017-07-31 20:45:59.69 -0700 CIPB0021 2017-07-31 20:48:15.50 -0700 CIPB0024 2017-07-31 20:54:42.04 -0700 CIPB0024 2017-07-31 20:57:25.70 -0700 CIPB0021 2017-07-31 20:58:25.80 -0700 CIPB0021 2017-07-31 21:02:59.15 -0700 CIPB0024 2017-07-31 21:03:28.13 -0700 CIBI0991 2017-07-31 21:16:59.60 -0700 CIBI0991 2017-07-31 21:40:29.76 -0700
Here is the search result using dedup:
index = x [ | inputlookup Jobnames.csv | fields JOBNAME ] | bucket _time span=24hr | dedup JOBNAME _time JOBNAME DATETIME CIPB0021 2017-07-31 20:58:25.80 -0700 CIPB0024 2017-07-31 21:03:28.13 -0700 CIBI0991 2017-07-31 21:16:59.60 -0700
As you can see, CIPB0021 occurred 4 times, and it filtered to show the 3rd. CIPB0024 occurred 4 times, and it filtered to show the 4th. CIBI0991 occurred 2 times and it showed the 1st. Also bucket uses the last 24 hours and not only the same day. So if something occurs at 1am, it would use most of the previous day in the comparison which I don't want
I only want to create alerts for the following:
JOBNAME DATETIME CIPB0021 2017-07-31 20:41:07.20 -0700 CIPB0024 2017-07-31 20:45:59.69 -0700 CIBI0991 2017-07-31 21:16:59.60 -0700
If I throttle for the alert, how would I prevent it from running for rest of the day? The options are seconds/minutes/hours/days
Would that run over into the following day? Ex: alert triggers at 11pm -> set to ignore for 24 hours -> won't it ignore all of the following day up until 11pm? I want it to only ignore 1hr in that case or if an alert is triggered at 7pm ignore for 5 hrs.