Hi ,
Below is the query that will run over last 2 weeks of data but I want an alert to trigger only if "good count" is greater than 4 in last 24hrs .
index=abc sourcetype=abc| stats max(resptime) as responstime by _time, name | eval absDev=(abs('response'-median)) | streamstats window=1000 current=true median(absDev) as medianAbsDev by "name" | eval lowerBound=(median-medianAbsDev*exact(20)), upperBound=(median+medianAbsDev*exact(20)) | eval isgoodcount =if('response' < lowerBound OR 'response' > upperBound, 1, 0) | stats sum(isgoodcount) as "good count" by "name" | where 'good count'>4| sort -"good count"
↧