source="http:Emerson_P1CDN" | spath host | spath client_ip | spath status_code | where status_code=200 | spath referer | where referer="" | spath path | search path NOT ("*wcsextendedsearch" OR "*EmersonSKUListingView" OR "*EmersonProductListingView" OR "*CartRefreshStatusJSON" OR "*PriceAjaxView" OR "*AjaxSerialNumber" OR "*UnsupportedBrowserErrorView" OR "*LogonForm"OR "*MiniCart" OR "*MiniShopCartDisplayView" OR "*AnalyticsPageView" OR "*AjaxAccountLinkDisplay" OR "*.css" OR "*.js" OR "*.woff2" OR "*.woff" OR "*.gif" OR "*.png" OR "*.jpg" OR "*.ico" OR "*.pdf" OR "*.html" OR "*.txt" OR "*.xml" OR "*/ClickInfo" OR "*thumb") | bin _time span=1m | stats count by _time,host,path,client_ip | where count >= 100 | sort - count Does the query at the top is correct?, because we want to count the total events of _time,host,path and client_ip per minute ... View more

OLD Query: source="http:Emerson_P1CDN" AND status_code=200 AND path=*/catalog* AND path!=*thumb* AND path!=*CartRefreshStatusJSON* AND path!=*PriceAjaxView* | bucket span=1m _time | stats count by client_isp,_time | where count >= 600 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) | sort - count | transpose header_field=_time When I set this one as an alert, it considers the client_isp and _time as part of the query so even there where no result it is sending a blank alert only the client_isp and time on the first column. New Query: source="http:Emerson_P1CDN" AND status_code=200 AND path=*/catalog* AND path!=*thumb* AND path!=*CartRefreshStatusJSON* AND path!=*PriceAjaxView* | bucket span=1m _time | stats count by client_isp,_time | transpose header_field=_time | sort - count | where count >= 600 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) While on this one, there were no result at all. What maybe wrong on this query? ... View more