The background to this is that I'm trying to set an alert which is normalized, ie. the alert should only fire if the ratio of exception events to successful events over a 5 min period exceeds some pre-determined value. But stepping back several places... I started using an appended search with eval to calculate the ratio, thus:
"XXX targeting service enabled" | stats count as ALL | append [search "exception calling XXX targeting" | stats count as EXC] | eval A_ratio=ALL/10 | eval E_ratio=EXC/10 | eval ratio=ALL/EXC
this gives me accurate values for ALL, EXC, A_ratio, and E_ratio, but nothing at all for ratio. Now, given that ALL and EXC are visible outside of the appended search and can be divided by a constant, I would have thought the ratio calculation would also be fine, but it isn't. (NOTE: A_ratio and E_ratio mean nothing but I used them to debug the problem).
This is borne out by the fact that this simpler, test, search works fine:
"XXX targeting service enabled" | stats count as ALL dc(host) as EXC | eval A_ratio=ALL/10 | eval E_ratio=EXC/10 | eval ratio=ALL/EXC
in this case I do get an accurate ratio value back.
The mathematical operator doesn't matter and I even tried subtracting logs, but of course the problem appears to be one of visibility, not operation or syntax. So why are the variables ALL and EXC visible individually yet not visible to each other?
More to the point, can anyone help with creating a normalized alert?
Thanks.
... View more