I have the next query in an alert to check the status of 6 hosts:
index=idxnmondata sourcetype=Perfmon:Memory eventtype=perfmonmemory
| eval threshold=95
| where memused > threshold
| table time host memused threshold
I would like that the alert is triggered when for two times in a row a specific server is above 95% of mem_used.
And that in the email appears the next fields: time host memused threshold
I thought about two options but they dont match exactly what I want:
- Do a: stats dc(time) as times by host (in the search) and configure alert triggered when results are >1
>>>but in this case i lose information in the email of memused and _time, and I would like to see them in the table of the email
- Inside the alert, as customized condition, to write: search dc(_time) by host > 1, but it does not work
Anyone has othe ideas? or am i doing something wrong?
I would like to maintain as well this is an only one query just to avoid consume the ressources of my search head server