Hi,
Here is the query I have `index=vpn sourcetype=vpn_prod srauserid1=* earliest=-10m |timechart span=5m dc(srauserid1) AS all_user | delta all_user as diffuser | search diffuser < -20 | rename diffuser as "Users Dropped" | table _time,"Users Dropped"`
I want this alert to trigger if the user count drops by 20 in last 5 minutes
Time Usercount Users Dropped
1:25 PM 100 0
1:30 PM 50 -50
In that case trigger at 1:30 PM. Every time it drops by 20 in 5 minute window we need to be alerted. I am not sure if I am using earliest=-10m correctly. The way I think I have it now is to look back in last 10 mins and in "Trigger Condition" I have "Trigger alert when Number of results is greater than 0 in 5 minutes for each result". Is my assumption correct ? or is there a better way to do this?
↧