We always see some failures in our logs. But when we have an issue, the number of failures goes thru the roof. I'm trying to combine all the failures types and the threshold we've specified into a single search. I can create a bunch of individual searches/alerts, but I'd really like to combine them.
Here's a single/working one:
index=foo "FailureReason=24403" earliest=-30m | stats count by host | where count >20
Here's where I attempted to combine two
index=foo earliest=-30m | stats count by host where count(FailureReason=24403) >20 OR count(FailureReason=22056) > 500
But obviously something is wrong with my search/syntax. Can anyone help please?
Thanks
↧