@ITWhisperer This is what I imagine it should look like but im not sure if there is a way to add in a condition for Streamstats for this command? or a workaround? "reset_on_change= if (status="...
See more...
@ITWhisperer This is what I imagine it should look like but im not sure if there is a way to add in a condition for Streamstats for this command? or a workaround? "reset_on_change= if (status="UP", 1, 0) " | bucket span=1m _time | eval status_change=if(status="DOWN",1,0) | streamstats sum(status_change) as down_count reset_on_change= if (status="UP", 1, 0) | eval is_alert=if(down_count >=5 AND status="DOWN",1,0) | where is_alert=1