hi
I have a alert with multiple checks like below:
1> check if a job has completed ,
2> if Job completed , calculate count of categories and calculate the count difference from today export to four days average.
3> if count difference is less than -10 or >10 alert.
The query for 2 and 3 is ready... with 3 being done as a custom alert condition in the alert definition.
2 is handled by below query.
index=live earliest="-4h" latest=now categoryExport stats dc(category) as count_4h | appendcols [ search index=live earliest=-4d latest=-12h categoryExport | stats count(category) as count_4d by date_mday | eventstats avg(count_4d) as avgCount4d | eval avgCount4d = round(avgCount4d,0) ] | eval difference= avgCount4d - count_4h
However I only need to run this alert check when condition 1 is satisfied.. It is as simple as a log that says ' job completed'
I thought of using searchmatch but that doesnt give me a overall summarised condition of whether export has occurred or not..
how do i fit in check condition 1 here.. If i used an AND condition I will lose the data I need for '2'
↧