I have an index=pan with three sourcetypes pan:abc , pan:xyz, pan:tuv .
I want to create an alert if I dont receive any data for 15 minutes for a sourcetype .
I used the below query .But the query only works for one sourcetype.I dont want to create multiple alerts for each sourcetype .I want to know if there is a easy way to alert for all the three source types in a single query
| metadata type=sourcetypes index=yourindexNameHere | where sourcetype=yourSourcetypeNameHere| eval age=(recentTime-now()) | where age>900 | table sourcetype recentTime age | convert ctime(recentTime)
Thanks in Advance
| metadata type=sourcetypes index=pan | where sourcetype="pan:abc" OR sourcetype="pan:xyz" OR sourcetype="pan:tuv"
| eval age=now() - recentTime| where age>900 | table sourcetype recentTime age | convert ctime(recentTime)
|eventstats values(sourcetype) as sourcetypes
|eval sourcetypes=mvjoin(sourcetypes,",")
fire alert with $result.sourcetypes$
hi, @vrmandadi
how about this?
I got it
| metadata type=sourcetypes index=pan
| search sourcetype=pan:*
| eval age=(now() -recentTime) | search age>900
| convert ctime(recentTime)
| eval time=strftime(_time,"%d/%m/%Y %H:%M:%S")
that's good, please accept the answer.
Have you tried a search
instead of where
and a wildcard in the sourcetype?
(frankly I forget half the time when/where/why to use "search" vs "where" but if one doesn't work try the other and that usually works 😛 )
| metadata type=sourcetypes index=yourindexNameHere | search sourcetype=pan:*| eval age=(recentTime-now()) | where age>900 | table sourcetype recentTime age | convert ctime(recentTime)
Hello @marycordova
Thank you for your reply .I have few questions .The age gives negative values .What does that mean .Should that not be the other way | eval age=(now() -recentTime) and than based on the age value I can create an alert if is greater than 900 for 15 minutes .I am doing something wrong
I got it
| metadata type=sourcetypes index=pan
| search sourcetype=pan:*
| eval age=(now() -recentTime) | search age>900
| convert ctime(recentTime)
| eval time=strftime(_time,"%d/%m/%Y %H:%M:%S")