Hi ,
We have search that runs for every minute, and if in case it found any Service is down, it triggers an alert. However, we are thinking to enhance the search in a way that search should run for every 1 min interval, and if it finds a service down, it should not trigger an alert. Instead, it should wait for one more minute and if it still gets the status as "Service Down", then it should trigger.
Below is our basic search:
index =index1 sourcetype=WMI Caption="*" host=WGP
| stats latest(State) AS State by _time host Name
| rename Name as Service
| search State=Stopped
| eval currentTime=now()
↧