Conditional Alerting in SumoLogic
Hello, I am looking to see if there is a way to send/limit an alert only if a condition is met. For example, within the last hour only if there is more than 1% of failures (HTTP non 200) then send an alert out. I am able to write a query to know if we breached the limit or not, but as the scheduled search only has an option on the number of results, I am unable to send a conditional alert. following is a sample query. _source=elb_east ........... | acheived_percentage < 99.5 ? "SLA Breach" :"OK" as status. Now either SLA Breach or OK comes up in the result and I can not say if result count =1 send an email. I am not sure how to display only the "SLA Breach" and not "OK" Any pointers would be greatly appreciated. ThanksKrishna
-
Krishna, You should be able to do this by modifying your query in one of these two ways: _source=elb_east ........... | acheived_percentage < 99.5 ? "SLA Breach" :"OK" as status | where status="SLA Breach" OR _source=elb_east ........... | where acheived_percentage < 99.5 Either of these should only produce results in the event of a failure, and will not list any results as OK. Then, you should be able to schedule your search to alert on > 0 results. I hope this helps! Thanks, Caleb F.
Please sign in to leave a comment.
Comments
3 comments