I have a scenario where I need to build an alert for a search that triggers on a numerical value. I need to set a threshold and alert that triggers only when that threshold is exceeded, and then have the alert reset once the value is under that threshold.
So basically, var2 returns a NUMERICAL_VALUE, which is the numerical value that I need to alert on.
For example:
when NUMERICAL_VALUE goes above 5, I want the alert to fire. So, if the NUMERICAL_VALUE goes from 4 to 6, the alert would fire, but not if it goes from 6 to 7.
If the NUMERICAL_VALUE goes from 7 back to 4, that would reset the alert. Then, if NUMERICAL_VALUE went back from 4 to 6, it would trigger the alert again.
I have the alert search set to run every two minutes.
Thanks if anyone has any answers.
index=someindex sourcetype="somesourcetype" source="somesource" Var1="StaticValue" Var2=StaticValue | dedup VAR1 VAR2 | where NUMERICAL_VALUE > 5
... View more