Alert only when the count is continuously 0 for la...

ashrafsj · ‎05-26-2020

Hi all,

I have created a below SPL, which will alert when the RECEIVED =0, but I want this as an alert only when the last 2 hours continuously the RECEIVED=0, if there is data in span of 1 hour in time range of last 2 hours, I dont want to get an alert.

index=myIndex source=mySource sourcetype=mySourceType 
| timechart span=1h count AS Received 
| stats latest(Received) as RECEIVED by _time 
| where RECEIVED=0

Please let me know how this can be achieved?

to4kawa · ‎05-26-2020

| tstats count where index=myIndex source=mySource sourcetype=mySourceType by _time span=1h
| autoregress count as count_p
| where count==count_p AND count=0

If 2 hours count is 0, there is the event.

dindu · ‎05-26-2020

Could you please try as below. Choose Trigger alert when number of results equal to zero

 index=myIndex source=mySource sourcetype=mySourceType  earliest=-2h@h latest=@h
| timechart span=1h count AS Received 
| stats sum(Received) as total_received
 |where total_received=0

to4kawa · ‎05-26-2020

I see, I fix a mistake. please confirm updated answer.

Alert only when the count is continuously 0 for last 2 hours

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!