Hello, I created a small alert compiling data per minute for the last 24 hours: (index=my*filter) (myConstraint) | bin span=1m _time
| eval fieldX=formule
| stats count(eval(field="OK")) AS O...
See more...
Hello, I created a small alert compiling data per minute for the last 24 hours: (index=my*filter) (myConstraint) | bin span=1m _time
| eval fieldX=formule
| stats count(eval(field="OK")) AS OK, count as Total by index, field1, ..., fieldN, _time
| append [| inputlookup MyLookup.csv | addinfo | where _time > relative_time(info_max_time, "-24h")]
| stats max(OK) as OK, max(Total) as Total by index, field1, ..., fieldN, _time
| outputlookup append=f MyLookup.csv I configure the alert with earliest=-5m and latest=now Schedule window : 0 I try with and without acceleration without success. I schedule my search : * * * * * Expiration : I keep 1 h of alerts The alert runs correctly but, it runs each 5 to 10 minutes. I see in tasks the execution time is less than 15s (between 6 and 15 sec) : The goal : another alert must run each 5 min and must look last 2h to generate alerts. Directly on the real time the alert duration is 3 min. I hope the inspect the "lookup" is quicker.