Hi @smuderasi , This is not the finished meal, but should give you an idea of how you can do it: | noop
| makeresults
| eval id = "1 2 3 4 5 6 7 8 9"
| makemv id
| mvexpand id
| eval server = case(id=1,"hostA",id=2,"hostB",id=3,"hostC",id=4,"hostA",id=5,"hostC",id=6,"hostB",id=7,"hostB",id=8,"hostA",id=9,"hostC")
| eval _time = case(id=1,_time+10,id=2,_time+20,id=3,_time+40,id=4,_time+40,id=5,_time+50,id=6,_time+60,id=7,_time+70,id=8,_time+80,id=9,_time+90)
| eval state = case(id=1,"health_ok",id=2,"health_not_ok",id=3,"health_ok",id=4,"health_ok",id=5,"health_ok",id=6,"health_not_ok",id=7,"health_not_ok",id=8,"health_not_ok",id=9,"health_not_ok")
| fields - id
| sort server, _time
| streamstats count as alert_counter by server, state The first block, until including the | fields - id is just to make up some sample data - you don't need that as you have data 🙂 The streamstats will create the field alert_counter which adds 1 every time the server and state is the same as in the line above. So your alert could trigger when alert_counter>=3 AND state!=health_ok You can also add your status field like that. I don't have a good idea right now for your alert conditions (every 2 minutes, later every 30 minutes), might be possible with 2 different alerts somehow. Hope I could at least give you some inspiration.
... View more
