Hi all, My team needs to clear an alert with a totally different department before we consider it "published" for the purposes of audit etc. I need a SIMPLE way to mark an alert as "in review" that has the ability to make the distinction between "published" and "in review" clear on dashboards. Requirements: 1. something simple that a non-tech team won't mess up 2. readable by dashboards Thanks in advance!
... View more
I have a platform sending me events every 30 seconds, and will batch the events based on a distinct variable “tomatoes” and send to the relevant team every 10 mins as an alert.
I wrote the below to show management the total number of raw events vs the number of alerts being sent, based on historical data. I have now been asked to report on what the numbers would be if I throttled the alerts so that a distinct tomato would not create a new alert for 1 hour, and I have no idea how to do this.
I don't need help with writing the alert, but I need help on creating a report. The throttled alerts have not been created yet, I need to figure out how to remove a distinct IP from the results for 1hour and then put them back in.
| bin _time span=10m
| eval time=strftime(_time, "%m/%d/%Y %H:%M")
| stats dc(tomatoes), count by time
| rename dc(tomatoes) as tomatoes, count as tomatoes
| table time, distinct_ tomatoes, total_ tomatoes
[stats sum(distinct_ tomatoes) as distinct_ tomatoes sum(total_ tomatoes) as total_ tomatoes
| eval time="Total" ]
| stats avg(distinct_ tomatoes) as distinct_ tomatoes avg(total_ tomatoes) as total_ tomatoes
| eval distinct_ tomatoes =round(distinct_IP,1), total_ tomatoes =round(total_IP,1)
| eval time="Average"]
time distinct_tomatoes total_tomatoes
03/24/2022 19:00 1 4
03/24/2022 19:10 1 2
03/24/2022 19:20 2 5
03/24/2022 19:30 1 4
03/24/2022 19:40 1 5
03/24/2022 19:50 3 5
Total 9 25
Average 1.5 4.2
... View more