Archive2
Highlighted

Alerting: customized conditions, memory is above a threshold for two times in a row for a specific server

Explorer

Hello,
I have the next query in an alert to check the status of 6 hosts:
index=idxnmondata sourcetype=Perfmon:Memory eventtype=perfmonmemory
| eval threshold=95
| where mem
used > threshold
| table time host memused threshold

I would like that the alert is triggered when for two times in a row a specific server is above 95% of mem_used.

And that in the email appears the next fields: time host memused threshold
I thought about two options but they dont match exactly what I want:
- Do a: stats dc(time) as times by host (in the search) and configure alert triggered when results are >1
>>>but in this case i lose information in the email of mem
used and _time, and I would like to see them in the table of the email

          - Inside the alert, as customized condition, to write: search dc(_time) by host > 1, but it does not work

Anyone has othe ideas? or am i doing something wrong?

I would like to maintain as well this is an only one query just to avoid consume the ressources of my search head server

Thanks in advance
Jaime

0 Karma
Reply