Hello,
I am currently trying to figure out how to combine the below three searches with different conditions into one query/alert.
if abc reminder is <1 then trigger an alert
if xyz reminder is <5 then trigger an alert
if 123 reminder is <22 then trigger an alert
Here is my query so far:
index="xyz" sourcetype=xyz ("abc reminder") OR ("xyz reminder") OR ("123 reminder")
earliest=-24h
| eval JobName=case( searchmatch("abc reminder"), "ABC reminder",
searchmatch("xyz reminder"), "XYZ reminder",
searchmatch("123 reminder"), "123 reminder")
| stats count as ABCJobCount by JobName
| where ABCJobCount<1
| stats count as XYZJobCount by JobName
| where XYZJobCount<1
| stats count as 123JobCount by JobName
| where 123JobCount<1 |eval NetcoolTitle = JobName + " did not complete in last 24 hours"
... View more