I am able to set up alerts for an index when the count = 0 for a specific parameter value. Since I have over 50 over these values, it is cumbersome to create so many alerts and wondered if I can create one alert that is able to monitor across these values. Let me explain with example:
This is the general search for the main index but for the specific parameter value:
So I set up alerts for multiple values of this PStream field that monitors the count, and alerts when count =0 for the last hour. Is there a way to construct the search so that it monitors all values of this field PStream and for each one if the count =0, I will get the appropriate alert?
... source="/statsData.newIndex/tcp/10014" | stats count(eval(PStream="864")) AS countPstream864 ... count(eval(otherField="otherValue")) AS countOtherValue | transpose| rename "row 1" AS count | where count=0
Then setup alert for
Number of Events > 0.
The dots are showing you where you need to add your "over 50 of these" (as you put it in your question). So for the 3 values you just noted, it would look like this:
... source="/statsData.newIndex/tcp/10014" | stats count(eval(PStream="864")) AS countPstream864 count(eval(PStream="865")) AS countPstream865 count(eval(PStream="866")) AS countPstream866 | transpose| rename "row 1" AS count | where count=0
How about this:
source="/statsData.newIndex/tcp/10014" | stats count by PStream | where count=0
This search should give you a result with a line for each value of PStream with zero count. If you create an alert on that, you could either go easy and contain the search result in that one email (so the recipient has to look at it to determine which PStream(s) are affected).
Or, if you need to explicitly send an email for each PStream, you could create a lookup for the appropriate address for each PStream and use the
sendemail command with a
map command (docs here and here). I have to admit I'm not sure about that second method, it appears that it has been asked before, I only skimmed the answers though.
Oh. You're right. Didn't think this through apparently.
In that case, ignore the first part of this answer - but the second one might still be useful if you intend to send emails depending on which PStream is affected.