Hi,
I've a periodic anomaly detection search (alert) query that results like this in inline mail result table;
AVERAGE,PRESENT,THRESHOLDEXCEED
6836 ,15775 , YES
(bold ones are field names)
if there is no THRESHOLDEXCEED value, then alert doesn't trigger
My query that calculates thresholdexeed value is like this;
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO")
If THRESHOLDEXCEED is YES, I also want to trigger a completely different query and append it to alert mail (as inline table)
Query i want to include;
index=mailindex earliest=-10m | stats count by subject | sort -count
How can i achieve this?
Thanks so much,
Regards
... View more