I have an requirement that need to schedule the below search query for every 2 mins(it can be given in corn schedule */2 * * * *) but it should not trigger mail immediately even breach threshold and the after specified time limit which will be mentioned in the lookup csv file, consider field as "count_threshold"=3
Now, after 6 mins (ie 2 mins * 3 = 6 mins) the email has to trigger if the search query breach the threshold(or if the results greater than 0)
Below is the existing search:
| eval "Alert Status" = case((' Virtual Bytes'<=manual_threshold3),"NORMAL", (' Virtual Bytes'>manual_threshold4),"CRITICAL", (' Virtual Bytes'>manual_threshold3 AND ' Virtual Bytes'<=manual_threshold4),"WARNING")
| search "Alert Status"="CRITICAL"
| table Host," PID","Process Name"," Virtual Bytes","Alert Status"
How to achieve this? And how to add the condition to send mail after 6 mins.
... View more