Thanks for the update. I've made those changes. However, it seems to be doing something unexpected. It is generating alerts for events that occurred yesterday that met the criteria. I kinda expected it to only trigger if new events are flagged. It makes me wonder, is it rerunning the search for the entirety of log history at every cron interval and then triggering on each instance? How do I configure it to only recent/new events? ... View more

Thanks all, between all the help, I got it working. Final Query: * host="HOST1" sourcetype="Perfmon:CPU Load" object=Processor counter="% Processor Time" instance=_Total |bucket _time span=2m | eval PercentProcessorTime=Value | append [search host="HOST1" source="Perfmon:Memory" collection=Memory object=Memory counter="% Committed Bytes In Use" |bucket _time span=2m | eval PercentCommittedBytesInUse=Value] | streamstats avg(PercentProcessorTime) as "CPU",avg(PercentCommittedBytesInUse) as "Memory" by host window=2 | table _time CPU Memory | where CPU > 70 AND Memory > 70 with a scheduled alert running on cron expression */2 * * * * (every 2 minutes) ... View more

Well, that is good to know... I have a search like this in a dashboard, modified to try for an alert every 3 minutes (cron expression). I made the values super low to ensure it hits constantly, as a test, but this is not even triggering even though the values are low enough. host="HOST1" sourcetype="Perfmon:CPU Load" object=Processor counter="% Processor Time" instance=_Total |bucket _time span=2m| eval PercentProcessorTime=Value | append [search host="HOST1" source="Perfmon:Memory" collection=Memory object=Memory counter="% Committed Bytes In Use" | eval PercentCommittedBytesInUse=Value] | stats avg(PercentProcessorTime) as "CPU",avg(PercentCommittedBytesInUse) as "Memory" | table _time CPU Memory |where CPU > 5 AND Memory > 25 Any ideas? ... View more

DalJeanis, I could see your technique working, except with my example, how do you specify what value is pctCPU and which is pctMemory? This is my base search. host="HOST1" (sourcetype="Perfmon:CPU Load" object="Processor" counter="% Processor Time") OR (sourcetype="Perfmon:Memory" collection=Memory object=Memory counter="% Committed Bytes In Use") ... View more

This is for an alert. I'm a newb so not sure when to use timechart or stats. The above solution is closer but it fails because I record CPU every 1 minute and the span=2m is picking up the CPU value at, for example, 12:00:00 and 12:01:00 so it always hits even though that is two CPU hits and not one CPU/one Memory. I've tried changing span to 1m and it works but fires off alerts every 5 seconds, for the same value, so that is no good. ... View more