HI @gcusello I have previously mentioned that we receive 13 device statuses in a single payload. I am attempting to set up an alert for each device. However, the current query, where I extract a ...
See more...
HI @gcusello I have previously mentioned that we receive 13 device statuses in a single payload. I am attempting to set up an alert for each device. However, the current query, where I extract a single device serial number, is not functioning as expected and the alert condition also not working. Could you please check. index= "YYYYYYY" "Genesys system is available" response_details.response_payload.entities{}.onlineStatus="*" response_details.response_payload.entities{}.serialNumber="*" | rename "response_details.response_payload.entities{}.onlineStatus" as status | rename "response_details.response_payload.entities{}.serialNumber" as SerialNumber | where SerialNumber="XXXXXX" | stats count(eval(status="offline")) AS offline_count count(eval(status="online")) AS online_count earliest(eval(if(status="offline",_time,""))) AS offline earliest(eval(if(status="online",_time,""))) AS online | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"Online", offline_count>0 AND online_count=0,"Offline", offline_count>0 AND online_count>0 AND online>offline, "Offline but newly online", offline_count>0 AND online_count>0 AND offline>online, "Offline", offline_count=0 AND online_count=0, "No data") | search condition="Offline" OR condition="Offline but newly online" | table condition