Hello,
I have a search based on the following conditions
index="xxx" sourcetype="xxxxx" uri_path="/xxx/xxx/xxxx" http_method=POST http_referrer="*www.xxxxx.com*" response_code=201 | timechart count by uri_path
I would like to create an alert when the count is zero for 20 minutes. Essentially, it alerts me that no events have occurred for 20 minutes.
You will have to define the span
in timechart for 20 minutes. And also fillnull
with value=0
and then do where count=0
Thank you for the query suggestions - I have applied them:
timechart span=20min count by uri_path | fillnull value=0 | where count=0
Do you have any suggestion for the Alert setup? The Current setup is:
Alert Type: Real-time
Trigger alert when Number of Results is equal to 0 in 20 minutes trigger once, suppress triggering for 20 minutes.
Best i can tell you is to create an alert like this :
your search | stats count by uri_path | append [ | inputlookup uri_path_lookup.csv | ] | eventstats count as eventcount by uri_path | fillnull count=0| where NOT ( eventcount=2 AND count=0) | where count=0
Basically you create a lookup which has all the possible uri_path and the above search will show you the uri_path where there was no events for last 20 minutes. Run this Alert search every 20 minutes cron schedule ( */20 * * * *) and look for last 20 minutes data.
Just add the time range and trigger for no results.
index="xxx" sourcetype="xxxxx" uri_path="/xxx/xxx/xxxx" http_method=POST http_referrer="*www.xxxxx.com*" response_code=201 earliest=-20m latest=now
| timechart count by uri_path
Trigger alert when: Number of results
Is equal to: 0