Query 1:
(sourcetype="PAYA:Enterprise:CDE:Web:App:Gateway.Bankcard" OR sourcetype="PAYA:Enterprise:CDE:Web:App:Gateway.ACH") AND Processing response: | stats count by host | eventstats sum(count) as totalTransactions | eval percent=round(count*100/totalTransactions,2) | eval transPerMinute=round(totalTransactions/10) | where percent>30 AND transPerMinute>200
Query 2:
(sourcetype="PAYA:Enterprise:CDE:Web:App:Gateway.Bankcard" OR sourcetype="PAYA:Enterprise:CDE:Web:App:Gateway.ACH") AND tsys_response_time>5000 | stats count by host
Basically, I need to create an alert that if one web server has processed over 30% of the transactions in the past 10 minutes, and we are averaging over 200 transactions per minute... AND if it has two or more transactions over 5000ms
I've been wrapping my brain around this for a long time... really hoping someone can help 🙂
... View more