I want to join two search's for an alert, I want to alert when the "difference " is above 30 AND the "Total_GB_Used "
is above 350, not sure how I would append or do an inner join as you can probably see. hoping someone would be able to give an example?
index=_internal earliest=-60m@m source=license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1h | stats sum(b) as b by _time, pool, s, h, idx
| search pool="Splunk Production"
| timechart span=60m sum(b) AS volumeB by st fixedrange=false
| bin _time span=1h
| foreach [eval <>=round('<>'/1024/1024/1024, 3)]
| Rename NULL as count |tail 2| reverse
| autoregress count
| eval pct_increase=100 * (count - count_p1)/count
| Rename "count_p1" as "Previous hour Count"
| rename pct_increase as difference
| join difference [search index=_internal earliest=-0d@d source=*license_usage.log type=Usage
| timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS Total_GB_Used]
| Where difference > 30
| Where Total_GB_Used > 350
... View more