I'm looking to create an alert if a field value consecutively remains above a specific threshold, say 500. For example:
Time Field-1 1310 583 1315 678 1320 300 1325 789
In this example, I would get an alert at 1315 but not at 1320 or 1325 as the value was not above 500 consecutively. Any help in resolving this is greatly appreciated.
There are a few ways to go about this and the optimal solution depends on specifics of your data.
Do the events come in every five minutes or is that just an example?
[your search] |dedup 2 sourcetype |where Field-1>500 |eventstats count|where count>1|table Time Field-1
This will look at the last two consecutive events, and only include them when the value is > 500.
Then eventstats counts how many records you have - more than 1 records, and you get a result
Thank you for the query, it's not quite giving me the results I'm looking for. I've updated my query to the following:
| stats count by time
| eval lockcount=case(count>500,"alert")
| search lockcount=alert
| bin _time span=5m
| streamstats count window=2 by lockalert
Now trying to resolve, if I get two "alerts" in a 5 min time-frame I can generate an alert. Any suggestions?
I found an alternate solution by modifying my query to:
| timechart span=5min count
| eval hour=strftime(time,"%H:%M")
| streamstats current=f window=2 last(count) as lastcount
| table hour count last_count
Then I created an alert condition where count > 500 AND last_count > 500