Re: How to write condition

yvreddy90 · ‎09-26-2019

(index=logs OR index=audit) AND source="commtasks-logger" AND id=finishedcommtask |stats count by data.succeeded | transpose header_field="data.succeeded" | eval false perc = (f/(f+t))*100 | eval true perc = (t/(f+t))*100

This my query based on this how to write a condition is "false perc >10" trigger alert

Please help me anyone

gcusello · ‎09-26-2019

Hi yvreddy90,
At first you should try your search putting attention to the field names (don't use spaces); false_perc.
Then you have to be sure that "f" and "t" fields have values, so you can calculate the false_perc field.

(index=logs OR index=audit) source="commtasks-logger" id=finishedcommtask 
| stats count by data.succeeded 
| transpose header_field="data.succeeded" 
| eval false_perc=(f/(f+t))*100

then, when you'll be sure of this, at the end of your search you can add the condition:

| where false_perc>10

So if you have results you can trigger the alert.

Bye.
Giuseppe

adonio · ‎09-26-2019

did you try ... | top data.succeeded instead of your ... | stats count ... ?

How to write condition

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Join the Conversation

How to write condition

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4