Hi,
I have this command:
| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5
and I would like to count the host and trigger when I have less then 3 hosts.
I tired something like that:
```|stats dc(host) as c_host | where c_host > 3,``` but its not working as usual .
any idea? thanks!
this is my search:
| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5
which is working fine.
I just want to create a new alert that triggered when the host count is less then 3.
how can I do that?
If that is your search, you should be getting an error!
Is the search relevant to the count you want i.e. should the count be based on the results of a working search, or from the index, or from part of the search?
not sure why you say that. but its working.
just to be clear = value1 = to some internal parameter.
index = my index.
and base on that Im getting information about the hosts .
now I just want to count how many hosts reporting, when its less then 3 I want to trigger about it.
hope its clear now.
| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
has a missing double quote so will give you an error
Also, assuming that this is corrected, you will get a field called something like "avg(value1)"
This means that you no longer have a field called "value1" so the timechart command has no field to do an average on.
This is why the search you provided does not work.
Assuming it is the timechart table that you want to count hosts for, you could untable the chart table
| untable _time host average
| stats dc(host) as c_host
| where c_host < 3
now I see
It is not clear what you have actually tried and what is "not working". Please provide your full search, anonymised as necessary, and show how it is not working.