Alerting based on a count ratio...

Comments

4 comments

  • Avatar
    Colin Corstorphine

    Brian, 

    I'm making the assumption that the A and B are parsed from the same field and thus mutually exclusive in each message.

    Your query might look something like this:

    | parse ____ as MyField

    | if (MyField matches "A", 1, 0) as CountA

    | if (MyField matches "B", 1, 0) as CountB

    | sum(CountA) as SumA, sum(CountB) as SumB

    | SumA/SumB as MyRatio

    | where MyRatio>3

    This will only return results when your threshold has been met.

     You would then set your Scheduled Search similar to the following:

    Screen_Shot_2014-11-13_at_8.51.28_AM.png

     

    0
    Comment actions Permalink
  • Avatar
    Brian Conneen

    Worked great!!! Thanks for the help.  SumoLogic keeps surprising me.

    0
    Comment actions Permalink
  • Avatar
    Brian Conneen

    Colin,

    Is there an easy way to accomplish the above (which is working great) but to also slice it by time. I'd like to know the ratio every 60 minutes, over 7 days.

    Something like:

     

    | parse ____ as MyField

    | timeslice 60

    | if (MyField matches "A", 1, 0) as CountA

    | if (MyField matches "B", 1, 0) as CountB

    | sum(CountA) as SumA, sum(CountB) as SumB

    | SumA/SumB as MyRatio

    | by _timeslice

     

    I've tried a bunch of different variations, but I can't seem to grok the right concept.

     

    0
    Comment actions Permalink
  • Avatar
    Kevin Keech

    Give the following a try. This will tell the query to sum your records by the timeslice. The ratio should then be on the timesliced values

    | parse ____ as MyField

    | timeslice by 60m

    | if (MyField matches "A", 1, 0) as CountA

    | if (MyField matches "B", 1, 0) as CountB

    | sum(CountA) as SumA, sum(CountB) as SumB by _timeslice

    | SumA/SumB as MyRatio

    0
    Comment actions Permalink

Please sign in to leave a comment.