Setup an alert if field A count is less than 10 percent of field B ?


Hi All, 

I've a search which has multiple columns, I would like to setup an alert If field A values are less than 10% of field B

Here are my values

_time          field A    field B

11:00          100        120

11:15           200        130

11:30           300         450

11:45           400         450

Labels (1)
0 Karma


You can try something like this.

| your base search..

| eval difference = abs("field A" - "field B") `comment("Calculates the difference between your two fields. Abs converts the number into an absolute value,if it's negative. Ex abs(100-120)= 20")`

| eval base = ("field A" + "field B") / 2 `comment("We'll use the base to divide the difference")`

| eval percentage_difference = (difference/base) * 100 `comment("Calculates the percentage of difference between the numbers in your fields")`

| where percentage_difference <10 `comment("Detects the values of field a and field b, whose difference is less than 10%")`

| table _time "field A" "field B" percentage_difference

Save this as an alert and you're good to go. Let me know how it goes.

Thank you,


** If the answer helps you. Please mark it as accepted, so that it could help the future readers. **

0 Karma

Ultra Champion

Create a new field to evaluate when field A is less than 10 percent of field B

| eval lessthan10=if(fieldA * 10 < fieldB, 1, null())

Set your alert based on the presence of lessthan10 e.g. search lessthan10 

0 Karma