Hi @ITWhisperer Yuppers, changed the percent trigger as directed. I received email alerts where the 75 percent threshold was met or surpassed. I was surprised how many I received over night. To mitigate the early AM email alerts in particular, may I include a "where count > 100"? This would be in addition to the trigger alert of "search percent>=80"? I ask this because reviewing the emails received in the early AM hours revealed that ANY reason count did not meet or exceed 100. Is there a way to single out the top reason to have at least a hit count of 100? I modified the search string with the following to see what results would render in addition to lowering ther percent trigger threshold to 20 to see what email alert values would be generated. At present, I have not received any email alert, so I clearly did not use the "where count > 20" command properly. index=firewall host=156.33.226.83 earliest="-7m@m" latest="-3m@m" | bin span=2m _time | stats count by _time, reason | eventstats sum(count) as total by _time | eval percent=count * 100 / total | sort - percent | where count > 20 | head 20 The introduction of "where count > 20" broke the alert, and I say this because no alert has since been generated. I performed a manual 3 minute window check of top reasons, please see below. There are counts above 20 and percent above 20, so was hoping an alert would be generated, but that did not happen. How can the TOP reason count be taken into consideration in that only take action if that TOP reason account is above 100 (arbitrary number) while maintaining the trigger threshold of 80? What adjustment is need in the search string? There is light at the end of the tunnel! Thanks for your help!!
... View more