I want to set up an alert to trigger if three conditions are met:
Volume of a particular app is above 100 over the last 4 hours
Total volume is above 1000 over the last 4 hours
Total Volume over the last hour is at least 100
Right now my search is:
| stats sum(VOLUME) as VOLUME, count(USERNAME) as AFFECTED_USERS by APPLICATION | eventstats sum(VOLUME) as TOTAL|
join [ search | stats sum(VOLUME) as TOTAL_VOLUME earliest=-1h ]|where TOTAL > 1000 and VOLUME>100 and TOTAL_VOLUME>100
How can I tweak my search to get what I'm looking for?