I need to create an alert based on a number of events occurring in a particular time period for multiple servers. I know how to do a search to do this for a single server, but I can't figure out if there's a way to do more than one in a single search. I don't want to have to set up individual alerts for each server (too many servers, and needs to pick new ones up automatically), and I can't have the counts need to be independent by server. So for example:
I have 100 servers that would match host=*abcd* , and I need to know if any of them have more than 3 events that match field=XXXX in a 5 minute period. It can't alert of I have three different servers that have the matching event, only if a each individual server has that count of the event.
Hopefully this makes sense.
... View more