Hello,
I am trying to count the time buckets when the specific search returns values and alert on it. My current search looks as follows:
index=mlbso sourcetype=BWP_hanatraces "Out of memory for Pool/JoinEvaluator" | timechart count span=1m as OOM_Pool | eval Occurence = if (OOM_Pool > 0,1,0)
For alerting, I am only interested in the occurrence being 1 or 0, not in the number of events (count) per time bucket. Then, I want to alert when the Occurrences increase with time, which I set in the alert trigger options (> 5 in the last 30 minutes).
The problem is that this is not working and the alert takes not only the Occurrence but also a Count and adds both up. So if I have the 25 events (OOM_Pool) in one minute, then the Occurrence is 1, Count 25 and the alert gets triggered. I tried to overcome this by setting the Custom triggering condition condition:
search Occurence > 5"
but this does not seem to work.
How would I do it properly?
Kind regards,
Kamil
↧