earliest=-48h@h latest=-24h@h index="my-live-srv" sourcetype="Perfmon:sqlserver:sql_errors" counter="Errors/sec"| where instance="User Errors" | stats avg(Value) as PrevErrors | appendcols [ search earliest="-24h@h" latest="@h" index="my-live-srv" sourcetype="Perfmon:sqlserver:sql_errors" counter="Errors/sec" instance="User Errors" | stats avg(Value) as CurrErrors ]| eval PrevErrors=if(isnull(PrevErrors), 0, PrevErrors) | eval CurrErrors=if(isnull(CurrErrors), 0, CurrErrors) | eval CurrErrors=round(CurrErrors,3) |eval PrevErrors=round(PrevErrors,3) |eval CurrErrors=(CurrErrors + " Errors/sec") | eval PrevErrors=(PrevErrors + " Errors/sec") | appendcols [search earliest="-48h" latest="@h" index="my-live-srv" sourcetype="sql-trace" |where Date!="*$" | eval time_marker = if (_time < relative_time(now(), "-24h"), "yesterday", "today")| eval _time = if (time_marker=="yesterday", _time + 24*60*60, _time) ]| streamstats current=f window=1 global=f last(PrevErrors) as PrevErrors | streamstats current=f window=1 global=f last(CurrErrors) as CurrErrors|table CurrErrors,PrevErrors,time_marker,Date,Time, ID, HostName, ClientProcessID, ApplicationName, LoginName, SPID, Severity, EventClass, State, Error, DatabaseName, EventSequence
I want to save this as an alert but I want the alert to trigger only when CurrErrors >1. How can I do this ? I have tried with where condition but I dont have the expected result
... View more