Im currently running an alert, which updates every minute with a range -1m to -2m, for each new log based on unique JOBNAMEs. I want to create an alert each time a new JOBNAME occurs for the first time but not again if the same JOBNAME occurs for a given day.
Dedup is used to remove duplicates and I can use it in order to only have unique JOBNAMES per 24 hour period but this won't only show the first time entry per JOBNAME. I'm thinking I need to do my regular search, with the alert parameters set to every minute, span -1m to -2m, for each result and then NOT that against the results found in the same day based on JOBNAME. Any help/ideas?
Here is the search result for a given day:
index = x
[ | inputlookup Jobnames.csv | fields JOBNAME ]
JOBNAME DATETIME
CIPB0021 2017-07-31 20:41:07.20 -0700
CIPB0024 2017-07-31 20:45:59.69 -0700
CIPB0021 2017-07-31 20:48:15.50 -0700
CIPB0024 2017-07-31 20:54:42.04 -0700
CIPB0024 2017-07-31 20:57:25.70 -0700
CIPB0021 2017-07-31 20:58:25.80 -0700
CIPB0021 2017-07-31 21:02:59.15 -0700
CIPB0024 2017-07-31 21:03:28.13 -0700
CIBI0991 2017-07-31 21:16:59.60 -0700
CIBI0991 2017-07-31 21:40:29.76 -0700
Here is the search result using dedup:
index = x
[ | inputlookup Jobnames.csv | fields JOBNAME ]
| bucket _time span=24hr
| dedup JOBNAME _time
JOBNAME DATETIME
CIPB0021 2017-07-31 20:58:25.80 -0700
CIPB0024 2017-07-31 21:03:28.13 -0700
CIBI0991 2017-07-31 21:16:59.60 -0700
As you can see, CIPB0021 occurred 4 times, and it filtered to show the 3rd. CIPB0024 occurred 4 times, and it filtered to show the 4th. CIBI0991 occurred 2 times and it showed the 1st. Also bucket uses the last 24 hours and not only the same day. So if something occurs at 1am, it would use most of the previous day in the comparison which I don't want
I only want to create alerts for the following:
JOBNAME DATETIME
CIPB0021 2017-07-31 20:41:07.20 -0700
CIPB0024 2017-07-31 20:45:59.69 -0700
CIBI0991 2017-07-31 21:16:59.60 -0700
... View more