I have a search scheduled to send an email alert when count > 10 in an hour timespan.
index=webserver sourcetype=web_logs loglevel=error | stats count by user | where count > 10
let's say if i schedule this alert at @8am to run every hour, how does the hourly cycle works to fire an email alert..?
If count is > 10 @9:30am, will i get notified via email alert @9:30 or 10am..?
↧