Hi,
I want to create the alert using which I could get the email notification if the count of events has crossed a particular threshold between start of month till 15th day of month.
my query is this:
index=akm_ing "xyz.ex.com" "aagkeyid":"49005" |stats count | where count > 600000
Can you please help me in how to achieve this
earliest=@mon latest=@mon+15d
Hi @susri4,
you should add a condition dividing the first 15 days from the second, something like this:
index=akm_ing "xyz.ex.com" "aagkeyid":"49005"
| eval divide=if(date_mday<16,"First","Second")
| stats count BY divide
| where count > 600000if you haven't the field date_mday, you can calculate it:
index=akm_ing "xyz.ex.com" "aagkeyid":"49005"
| eval divide=if(strftime(_time),"%d")<16,"First","Second")
| stats count BY divide
| where count > 600000Ciao.
Giuseppe
Just a query:-
Can i achieve this by playing around with earliest and latest time modifiers:y
earliest = @mon --this will give start of month
latest = ? ---I'm unable to define 15th day of month here.
Can you help me in getting right value for latest ...