Hi folks, been banging my head against this for hours and am sure I am missing something obvious. I have tried using eval and evenstats in various iterations, but no dice. Essentially I am trying to have the below Alert/Search executed (which compares a volume of errors from one minute to the next). The problem we've been running into, is that we have a field value SESSID that is assigned to unique sessions, and at times one "stuck" session can really muddy up this valuable canary alert for us. My goal is to either exclude all results with an offending SESSID (e.g. where its stats percentage exceeded 10%) or just not trigger the alert for that particular minute. host=app* LOGLEVEL=ERROR earliest=-2m@m latest=-1m@m | stats count as LastMinute | join host [search host=app* LOGLEVEL=ERROR earliest=-3m@m latest=-2m@m |bucket _time span=1m | stats count as PrevMinute ] | eval HigherThanPrevMinute=(3*PrevMinute) | where LastMinute > HigherThanPrevMinute |where LastMinute > 1000 |table LastMinute,PrevMinute Thank you in advance! -Armen
... View more