Hi yvreddy90,
At first you should try your search putting attention to the field names (don't use spaces); false_perc.
Then you have to be sure that "f" and "t" fields have values, so you can calculate the false_perc field.
(index=logs OR index=audit) source="commtasks-logger" id=finishedcommtask
| stats count by data.succeeded
| transpose header_field="data.succeeded"
| eval false_perc=(f/(f+t))*100
then, when you'll be sure of this, at the end of your search you can add the condition:
| where false_perc>10
So if you have results you can trigger the alert.
Bye.
Giuseppe
... View more