Hi bit of background, I am trying to monitor a 15% drop in logins using the delta command at the moment over Last 15mins
I am using the below search as my test:
index=*_XXXX_app AND (/security/session) | eval call=case(uri like "/security/session%","Login") | timechart count span=5m | delta count as difference | eval percdif=round(abs(difference/count)*100,0)
My Final Search which I will use to create an alert is:
index=*_XXXX_app AND (/security/session) | eval call=case(uri like "/security/session%","Login") | timechart count span=5m | delta count as difference | eval percdif=round(abs(difference/count)*100,0) | where percdif>=15 AND difference<0 | eval mesg="Suspected Service Impact 15 Percent drop in Traffic" | table _time mesg
The problem I have is it keeps triggering against the last minute
example if I run it I get
_time count difference percdif
2016-02-14 08:45:00 258
2016-02-14 08:50:00 377 119 32
2016-02-14 08:55:00 358 -19 5
2016-02-14 09:00:00 15 -343 2287
It does not like the first and last minute of data, do I need to find away to get it to ignore the last minute?
↧