I have an alert that fires when the hourly count is 50% greater hour over hour, this seems to be working fine:
index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=@h | stats count as LastHour | appendcols [search index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | stats count as CurrHour] | where CurrHour>1.5*LastHour
This reports the LastHour and CurrHour values, which I would like. In addition to this I would also like the report to include something like the results from this search when the alert fires:
index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | chart count over errorCode
I'm not sure how to combine these to include both of these in the report output.
↧