I have a doubt when configuring Alerts. Documentation and the GUI talks about Number of results, which I'm not sure it's about search results or, for example, when using the stats command the result table shown.
Let's say I have the search index=test user=root dhost=* and it gives me 100 event results.
If I do index=test user=root dhost=* | stats count by dhost it gives me a table with 3 rows
|dhost | count |
|host1 | 50 |
|host2 | 30 |
|host3 | 20 |
For each of the searches, if the triggering condition is "Number of results greater than 50":
Which search would trigger? (I think only the 1st, as for me the number of results in 2nd search is 3[rows])
If both trigger, which data would come as result for each?
the number of results means, the number of events your search / alert will generate.
In your example above the search will trigger if you have more than 50 rows in your table with host and count.
It will not trigger if you have a value of count greater 50.
If this is what you want you can do the following:
Create a new search:
index=test user=root dhost=* | stats> count by dhost | where count > 50
and if you create the alert set the number of results to "greater than 0"
The search will trigger only if there is at least one host with a count > 50.