I have a search query which uses dedup to get the latest event from my source type.
Search:
sourcetype = MonitorLog | dedup Username | WHERE SecondsElapsed >= 300
Username, AllocatedDirectorySize,UsedDirectorySize,PercentageUsage,LatestFileCreationTime,TimeElapsed,SecondsElapsed
amiro,300,314,105%,5/17/2017 12:01:30 PM,"0 days, 0 hours, 7 minutes, 15 seconds",435.0344144
safcom,900,907,101%,5/17/2017 11:50:18 AM,"0 days, 0 hours, 5 minutes, 6 seconds",306.0829872
How do I set up a scheduled alert which will be running this search and trigger alert when event is returned.
I have used the below but its not working.
Earliest: +0m@m
Latest: +5m@m
Cron expression: */5 * * * *
Any suggestions?
... View more