I have these events from where I calculate response time for the particular ping. The events are generated randomly and not at any particular time. So, I want to create an alert in such a way that if the response time is greater than 10 sec for more than 30 mins, it should trigger an alert. How do I go about it?
can you provide the search to calculate response time?
you can use
timechart command to segregate the response time.
<base search with response time and time>| timechart span=30m sum(response_time) as response_time | where response_time>10
Assuming that response time is in seconds already otherwise you would need to convert to seconds intially.
Let me know if this helps!
I think this doc would explain it better:
timechart will make a bin of span of 30 minutes and in that 30 minutes, it will check for the response time greater than 10 specified in the where clause.
Mayur - I don't think you understood my question. I have to trigger an alert iff the response time is greater than 10 sec even after 30 mins, i.e. for first 30 mins, no alert. 30 mins 1 sec(if still the response time is >10s), the alert has to be triggered.