Hi,
we are trying the below query.
index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1
I can see the alerts(alertme =1) if 4 events triggered within one hour but seems the second condition(alertme if diff_mins>30) is not working properly.
Can you please confirm if both condition try to evaluate events from the raw data or one over the other condition?
-Suraj
... View more