I have a inputlookup which have fields like index and count need to create an alert which should trigger when count of indexes given will be exceed given count in lookup, use of sub search will also fine
I wrote a query to get the result but it's simple and it's giving static output I want dynamically use index field and count field.
Following are the query I used.
|inputlookup idx_myvdf.csv | table index | stats count by index | where count < 1000
|tstats c by index where index[|inputlookup idx_myvdf.csv | rename index AS actual_index] AS actual_count | table index count actual_index]
where count < actual_count
I want to modify the query so that it will give the output with actual index count mentioned over inputlookup and alert will be triggered once actual count will be greater than count value provided under count field.
![alt text][1]
[1]: /storage/temp/274641-img-20190828-wa0017.jpg
↧