So a sample of the data I'm working with is as follows
TImestamp | ID | Amount
2015-12-30 09:50:45 | 1 | 28668
2015-12-30 09:50:45 | 2 | 24399
2015-12-30 09:50:45 | 2 | 904
2015-12-30 09:50:45 | 4 | 39292
2015-12-30 09:55:51 | 1 | 1000
2015-12-30 09:55:51 | 2 | 1045
2015-12-30 09:55:51 | 4 | 1035
Essentially, what I'm trying to do is built a Report/Alert that will pop when any user has a variance of say... Greater than 50k between _time (data is imported about every 5-10 minutes, so that's the _time variance).
What I've got so far is something like this:
sourcetype="Log" *| table _time, ID, subAmount1, subAmount2 | eval amount=(subAmount1+subAmount2 ) | delta amount p=1 as amountVar| eval amountVar=-(amountVar)
I can search for an individual ID, and see variances properly between _time, but I'm trying to make a more generic report to simply show highlights on a daily basis for ID's which have a variance greater than a threshold between a certain number of events.
↧