My question might seem naive and pardon me for that. I want to create an alert for data not being processed. The below was my query. An alert would be triggered, if the number of event are greater than 5000 or if the number of events are greater than 1000 and the change in events are more than 1000 between 2 hours. Used delta to get the difference. I am able to give the conditions and I am able to alert as well.
However, I wanted to check if we could extract a specific column from a specific row and column number and create another table. For example, please look at below table.
I want to create a new table with number of event at 15:00:00 , number of event at 14:00:00 , Change in number of events.
earliest=-2h*h latest=now() index=_internal blocked=true name IN (<that list>)
| bin span=1h _time
| stats count() AS MyEventCount by _time
| streamstats window=2 earliest(MyEventCount) AS previous_count, latest(MyEventCount) AS latest_count
| eval difference = previous_count - latest_count
I did change it from a `| timechart ...` to a `| bin _time | stats count...` but both accomplish the same goal, so you can really use either.
Streamstats in this case chops up that data into 2-event chunks, taking the earlier myEventCount as the previous count, the later one as latest_count. The last we just do an eval to create a new field difference with the ... difference. 🙂
Also 100% guarantee I did my math backwards there. I get 'em wrong so often, I no longer try, I just warn folks to switch that subtraction around if necessary.