I have events which update every 1 minute, if the Status is field is true for more than 5 min, i need to trigger an alert.
1:00 Status = False
1:03 Status = True
1:07 Status = False
1:10 Status = True
1:13 Status = True
1:16 Status = True
Now i need to trigger an alsert as the Stauts is true from 1:10 to 1:16 which is more than 5 mintues.
If in between it came false, i dont need an alert.
Thanks in advance.
| stats latest(status) as statusLast latest(time) as time by place
| eval now=now() | eval downSince=now-time | eval downMoreThan5Min=if(downSince>300,1,0)
| search status_Last =True AND downMoreThan5Min=1
try this search anywhere: (you can remove the
| head 100 for larger result set)
| gentimes start=-1 increment=1m | head 100 | eval _time = starttime | eval status = random()%2 | eval status = if(status=1,"True","False") | table _time status | sort -_time | rename COMMENT as "above is sample data, below is your solution" | streamstats time_window=5m count(eval(status="False")) as false_status_count | where false_status_count>=5
hope it helps
| timechart span=5min values(Status)
| rename values(Status) as Status
| eval one=mvindex(Status,0),two=mvindex(Status,1),three=mvindex(Status,1),four=mvindex(Status,1),five=mvindex(Status,1)
| eval trigger=if(one ="True" AND two="True" AND three="True" AND four="True" AND five="True",1,0) |where trigger=1
Alert triggers if trigger=1
The timechart takes all 5 values of past 5 mins, the eval extracts all 5 values and the trigger checks that all (AND join) values are true
It didnt work for me as i will do the | timechart span=5min values(Status) by place, where i have many place and it gives the result of every 5 min status.
I need check whether the status is true within the 5 mins.
NOTE use proper case for status and place , in my dummy data everything is in small case
| stats values(status) as status,values(_time) as time by place | eventstats max(time) as maxtime | eval diff=(maxtime-time)/60 | eval mark=if(diff <=6,1,0) | where mark=1 | stats list(status) as statuses by mark | mvexpand statuses | eval flg=case(statuses="TRUE",1) | eventstats sum(flg) as sumflg | where sumflg>0
Alert triggers where result of above query is more than 0
Can you please check and confirm on your issue? Please accept the answer if it significantly helped resolve your issue. Do not forget to add/modify the answer if you did some modifications and then accept the answer.