HI ,
My search is ,
index=demo |eval name=lower(name)|fillnull value=Null|replace True with Compliant False with "Non_Compliant" in Compliance |search eligibility=* Appliance="*" |stats count by Compliance
This gives me output like ,
Complaint 85
Non-Compliant 40
Missing 10
Here i need to create a cutom alert(email to be sent) whenever compliant is < 95%.I was not able to do this.
Regards,
Sundar
If you want to create an alert based on a specific value which is Complaint
in your case then filter that field in your search results:
You can try this search
index=demo |eval name=lower(name)|fillnull value=Null|replace True with Compliant False with "Non_Compliant" in Compliance |search eligibility= Appliance="" Compliance="Complaint" |stats count by Compliance
Then set a trigger conditions as Trigger alert when custom search count<95
If you want to stick to your query then you can try something like
Set a trigger conditions as Trigger alert when custom search Compliance="Complaint" AND count<95
let me know if this helps!
Thanks for your reply.
Compliance is the field which has all the values in it like compliant , non-Compliant etc.Here my requirement is to get the alert when compliant is < 95 % .
When use Compliance =Compliant then, it will have total of all the 4 values in Compliance rit .I need for Compliant alone in Compliance field .
Please suggest me way mayurr98.
No, when you write Compliance="Complaint"
before the stats command
it will have only one value called Compliant
in that case you need to set custom trigger condition as
search count<95
If you have 4 values in the Compliance
field then you need to set custom trigger condition as
search Compliance="Complaint" AND count<95
HI Thank you.It works
Can you help me with this code ,
index=demo |eval name=lower(name)|fillnull value=Null|search eligibility="" Appliance="" |stats count by Compliance| eventstats sum(count) as perc | eval perc=round(count*100/perc,2)
I get output like below,
Compliance count perc(in %)
False 8 30.77
Missing 5 19.23
True 13 50.00
Here i need to take false if it goes above 50 % OR True if it goes below 50 % in custom alert
Please help me in it mayurr98
so your trigger condition should be
search (Compliance="False" AND perc>50) OR (Compliance="True" AND perc<50)
I am not getting the alert triggered.I tried with one condition too.
put this at the end of your search
index=demo |eval name=lower(name)|fillnull value=Null|search eligibility="" Appliance="" |stats count by Compliance| eventstats sum(count) as perc | eval perc=round(count*100/perc,2) | search (Compliance="False" AND perc>50) OR (Compliance="True" AND perc<50)
And see if you are getting results.
If yes then save this search as an alert and leave trigger condition as default.