Solved: Question on setting up the alerts

prettysunshinez · ‎01-25-2021

I have a search query that outputs the count of the event for all the host (i.e., | stats count by host)

Now if the count is greater than 5,(for say host 1 and host 2 together gives more than 5 counts),an alert has to be triggered..

Let me know how..

TIA

@Anonymous

richgalloway · ‎01-28-2021

Perhaps this will fill the need. Search for this:

| stats count by host 
| addcoltotals labelfield=host label=TOTAL count

then have the alert trigger using the Custom setting:

search (host=TOTAL AND count > 5)

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-26-2021

| stats count by host
| stats sum(count) as count
| where count > 5

---
If this reply helps you, Karma would be appreciated.

prettysunshinez · ‎01-28-2021

Thanks @richgalloway for the suggestion..

But what i would want is,to have host wise count in the alert mail..and the alert has to be triggered if the overall count is greater than 5

richgalloway · ‎01-28-2021

Perhaps this will fill the need. Search for this:

| stats count by host 
| addcoltotals labelfield=host label=TOTAL count

then have the alert trigger using the Custom setting:

search (host=TOTAL AND count > 5)

---
If this reply helps you, Karma would be appreciated.

isoutamo · ‎01-28-2021

You could try this

| stats count by host
| streamstats sum(count) as total_count
| where total_count > 5

r. Ismo

Question on setting up the alerts