Hello, I am currently using the |append method for some queries, but was curious if there is a better way for me to be writing these? We are trying to create a single alert that could be triggered by various conditions such as total number of failures or total number of unique customer failures. The following is a simplified example of what I am currently doing and would like to improve if anyone knows how: "base query stuff"
| stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR
| append [search "base query stuff" SEVERITY="SOAP-FAULT" | stats dc(userId) as UNIQUE_FAULT]
| where UNIQUE_FAULT > 10 OR FAULT > 20 OR ERROR > 30 I would also love to be able to create a table with all of this data (hence the success variable), which contains the totals of each and unique customer impacts of each!
... View more