Hello,
I have an alert which selects from the database and whenever entries come back, the alert is triggered.
Now, I would like to implement the subsearch there and depending if it brings any result back, the main part of the alert should be triggered.
The main search for the alert:
| dbxquery query="select * from zkpiv_lstm_score" connection="HANA_MLBSO" | table RCA_TO_REPORT SYSID HOST TIMESTAMP CPU_CONSUMERS MEMORY_CONSUMERS CPU SYSTEM_CPU MEMORY_USED MEMORY_ALLOCATION_LIMIT PING_TIME CONNECTION_COUNT BLOCKED_TRANSACTION_COUNT STATEMENT_COUNT COMMIT_ID_RANGE CS_READ_COUNT CS_WRITE_COUNT CS_MERGE_COUNT CS_UNLOAD_COUNT ACTIVE_THREAD_COUNT WAITING_THREAD_COUNT
When the result comes back it means our Anomaly Detection algorithms found an issue and the alert should be triggered, so far so good. But in the same time we have also an alert searching for the system Crash Dumps. Obviously when we find a Crash Dump, we do not need to alert on the anomalies anymore. So, what I would like to achieve is, that if the subsearch for the Crash Dump is true, then the main search for the Anomaly Detection should NOT be true and thus alert not triggered.
The subsearch for the Crash Dump:
| search [index=mlbso_changelog (crash_context OR crash_stack OR crash_shortinfo) sourcetype = BWP_crashdumps NOT "Table of contents" earliest=-60m latest=now | reverse]
How would I do this?
Kind Regards,
Kamil
↧