Hi all,

I have a platform sending me events every 30 seconds, and will batch the events based on a distinct variable “tomatoes” and send to the relevant team every 10 mins as an alert.

I wrote the below to  show management the total number of raw events vs the number of alerts being sent, based on historical data. I have now been asked to report on what the numbers would be if I throttled the alerts so that a distinct tomato would not create a new alert for 1 hour, and I have no idea how to do this.

I don't need help with writing the alert, but I need help on creating a report. The throttled alerts have not been created yet, I need to figure out how to remove a distinct IP from the results for 1hour and then put them back in.

index=*

| bin _time span=10m

| eval time=strftime(_time, "%m/%d/%Y %H:%M")

| stats dc(tomatoes), count by time

| rename dc(tomatoes) as tomatoes, count as tomatoes

| table time, distinct_ tomatoes, total_ tomatoes

| appendpipe

[stats sum(distinct_ tomatoes) as distinct_ tomatoes sum(total_ tomatoes) as total_ tomatoes

    | eval time="Total" ]

| appendpipe

    [where time!="Total"

    | stats avg(distinct_ tomatoes) as distinct_ tomatoes avg(total_ tomatoes) as total_ tomatoes

    | eval distinct_ tomatoes =round(distinct_IP,1), total_ tomatoes =round(total_IP,1)

    | eval time="Average"]

time                   distinct_tomatoes         total_tomatoes

03/24/2022 19:00           1            4

03/24/2022 19:10           1            2

03/24/2022 19:20           2            5

03/24/2022 19:30           1            4

03/24/2022 19:40           1            5

03/24/2022 19:50           3            5

Total                                       9            25

Average                                1.5         4.2