Is there a way to count the number of sourceHosts rather than counting the number of messages per sourceHost?


1 comment

  • Avatar
    Kevin Keech

    Hi James,

    In your query try the following.

    | count_distinct(_sourceHost) as host_count

    | where host_count > 10

    Within the "where" statement place your threshold for the alert. Then within your scheduled search set the alert threshold to query if the count of results is less than 1

    Comment actions Permalink

Please sign in to leave a comment.