Hi,
I created an alert, which counts the total events per sourcetype and compares it with the total events from last week. The alert should trigger when the total events of today has doubled or more than last week. I don't know why it's wrong. Also is there a way to optimize this search. It takes around 1 to 2 mins to execute this search
index=caas_oracle_virtual_directory_* sourcetype="oracle_virtual_directory:*" earliest=-7d@d latest=-7d
| stats count as event_last_week by index, sourcetype
| join type=left sourcetype
[
| search index=caas_oracle_virtual_directory_* sourcetype="oracle_virtual_directory:*" earliest=@d latest=now
| stats count as event_today by index, sourcetype
| fields sourcetype, event_today]
| eval time_now = strftime(now(), "%d.%m.%y %H:%M:%S")
| eval double = (event_last_week*2)
| where double > event_today
| table time_now, index, sourcetype, event_last_week, event_today, double
| rename time_now as "Time", index as "Index" sourcetype as "Source Type", event_last_week as "Total Events Last Week", event_today as "Event Today", double as "Threshold"
And here the output of the alarm:
Thanks for your help!
... View more