I’d like to compare 1) the number of events received in the last 30 minutes with 2) the average number of events received in the last 30 calendar days (reduced to a 30 minutes span)
If the result of 1) exceeds by 50% the result of 2), I’d like to have something like “warning”, otherwise “normal”.
I’ve come up with the following search but it doesn’t seem to be working and I cannot figure out what is wrong with it (I’m pretty sure it’s right under my nose)
earliest=-30d@d index=index sourcetype=sourcetype | search host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | search host=host | stats count as last30minutes ] | eval status = if(last30minutes >= 1.5*average_reference, "Warning", "Normal")
Any help would be appreciated!
You have too many | search
; this works for me:
earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")
You have too many | search
; this works for me:
earliest=-30d@d index=index sourcetype=sourcetype host=host | stats count as last30days | eval average_reference=(last30days/30/1440*30) | appendcols [ search earliest=-30m latest=now index=index sourcetype=sourcetype | stats count as last30minutes ] | eval status = if(last30minutes >= (1.5*average_reference), "Warning", "Normal")
Thanks for your feedback!