Hi team, I have the following search code, and I want to trigger an alert when the condition is 'OFFLINE'. Note that we receive logs every 2 minutes, and the alert should be triggered only once; sub...
See more...
Hi team, I have the following search code, and I want to trigger an alert when the condition is 'OFFLINE'. Note that we receive logs every 2 minutes, and the alert should be triggered only once; subsequent alerts should be suppressed. Similarly, when the condition becomes 'ONLINE', I want to trigger an alert only once, with subsequent alerts being suppressed. I hope my requirement is clear. index= "XXXX" invoked_component="YYYYY" "Genesys system is available" | spath input=_raw output=new_field path=response_details.response_payload.entities{} | mvexpand new_field | fields new_field | spath input=new_field output=serialNumber path=serialNumber | spath input=new_field output=onlineStatus path=onlineStatus | where serialNumber!="" | lookup Genesys_Monitoring.csv serialNumber | where Country="Egypt" | stats count(eval(onlineStatus="OFFLINE")) AS offline_count count(eval(onlineStatus="ONLINE")) AS online_count | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"ONLINE", offline_count>0 AND online_count=0,"OFFLINE", offline_count>0 AND online_count>0 AND online_count>offline_count, "OFFLINE", offline_count>0 AND online_count>0 AND offline_count>online_count, "OFFLINE", offline_count=0 AND online_count=0, "No data") | search condition="OFFLINE" OR condition="ONLINE" | table condition