I am trying to create a search where if there is a change of 30 percent within 5 mins of a few field values, I would like to create an alert. The search should take a sum of the field values where field names are like traffic_in#abc and traffic_out#abc, and then use delta command to find difference between current and previous values. Now, the issue is I have 11 field values like abc(e.g., abc, cde,efg etc.) and I want delta of total of (traffic_in#***+traffic_out#***) and then find the values when traffic has changed by over 30%. The search that I have can be used when I have only one value like abc, but I want to change it so that it can work with multiple values. The search is :
eventtype=cacti:mirage host="onl-cacti-02" host_id=193 ldi IN("8835","8836","8837","8839","8840","8841","8846","8847","8848","8843","8844",)
| reverse
| eval combination=rrdn+"#"+name_cache
| streamstats current=t window=2 global=f range(_time) as deltaTime range(rrdv) AS rrd_value_delta by combination
| eval isTraffic = if(like(rrdn,"%traffic%"),1,0)
| eval kpi = if(isTraffic==1,rrd_value_delta*8/deltaTime,rrd_value_delta/deltaTime)
| timechart limit=0 useother=f span=5min last(kpi) by combination
| addtotals fieldname=total
| delta total as change
| eval change_percent=change/(total-change)*100
| timechart span=5min first(total) AS total_traffic, first(change_percent) AS traffic_change
| where abs(traffic_change) > 30
... View more