Here is my search:
sourcetype="production_env" | chart eval(round(((count(eval(Status="Error"))/count)*100),2)) as "FailureRate", values(Threshold) as "Threshold", values(AlertStatus) as "AlertStatus", values(FailCount) as "Total Alerts" by ServiceNameLookup | eval AlertStatus = if(FailureRate>Threshold, "Failure rate over ".Threshold."% for the last 15 mins","OK") | rename ServiceNameLookup as "Service Name", FailureRate as "Failure Rate"
It invokes the lookup table with a list of service names and thresholds, then compares the failure rate against the threshold. How would adapt your method?
... View more