How can I get results only when 3 consecutive files exceeds 1 KB limit?
I tried this with below Query however not getting expected results -
index=idx1 sourcetype=src1 | eval raw_len=(len(_raw)/1024) | stats sum(raw_len) as filesize by source | streamstats window=3 values(eval(filesize>=1)) as finalcheck by source
Can someone please help me on this?
Thank you in Advance.
↧