I am trying to alert if one of my servers is left out of load balance for a specific amount of time.
My current search is:
index=netcool $server-ip$ Node | rex field=_raw "Node\s\/Common\/(?<host>.*)\s+address\s(?<ipaddress>[\d\.]+)\ssession status\s(?<status>.*)\." | where status!=" monitor status unchecked" AND status!=" monitor status forced down" | table _time, host, status | sort -_time | dedup snehost
This gives me a table of all my servers and a status of either "enabled" or "forced disabled" which is perfect. I want to be able to run this search every fifteen minutes and have it generate an alert if the server status is "forced disabled" for an extended period of time.
My original thoughts are, this search runs every 15min and the latest search compares the previous search. Is this possible?