I am assuming that you want to have alerts for below time stamp according to your log data.
time cnt difference
1:00:00 1 1 Alert
1:05:00 1 0
1:10:00 2 1
1:15:00 2 0
1:20:00 3 1
1:25:00 5 2 Alert
1:30:00 5 0
1:35:00 6 1 Alert
1:40:00 10 4 Alert
Try this;
...your search...|eval condition=if(cnt=1) OR (cnt>4),1,0)|eval condition1=if((difference>0),1,0)|eval condition2=if((condition=1) AND ((condition1=1),1,0)|table _time,cnt,difference,condition2
Then go to alert menu for this alert;
Alert condition -> select "if custom condition is met"
go to custom condition-> search condition2="1"
Cron:*/15 * * * *
Hope it is ok now.
Thanks
Gokhan
... View more