Dear fellows, i am trying to write a searching string to monitor which of my device send out much log unusually.
i think i may try to find out the volume by host by day, then find out the avg_value of log volume by host per day. This value should be keeping update by day.
If a device's realtime log volume > the device's (avg_value*2) then send an alert
I tried to use the following search string but i don't know how to continue. And there is null value to be consider.
index=_internal source=*license_usage.log* type=Usage
| convert ctime(_time) as timestamp timeformat="%d/%m/%Y"
| chart sum(b) AS volume_b by h timestamp
Would you mind helping me to solve the problem? Thank you very much.
↧