Alerting based on a count ratio...
I'm monitoring a log file for outcome of an operation. Let's call the outcomes A vs B. I parse the A or B from the log entry.
I would like to alert if the ratio of A vs B over a period of time goes above a threshold.
For example over a 15 minute period of time, I get 100 log messages. 60 of them are A outcomes and 40 of them are B outcomes. This would be a 6 to 4 (1.5 decimal) ratio of A to B. I would like to alert if this ratio was to get above 9 to 3 (3.0 decimal).
-
Brian,
I'm making the assumption that the A and B are parsed from the same field and thus mutually exclusive in each message.
Your query might look something like this:
| parse ____ as MyField
| if (MyField matches "A", 1, 0) as CountA
| if (MyField matches "B", 1, 0) as CountB
| sum(CountA) as SumA, sum(CountB) as SumB
| SumA/SumB as MyRatio
| where MyRatio>3This will only return results when your threshold has been met.
You would then set your Scheduled Search similar to the following:
-
Colin,
Is there an easy way to accomplish the above (which is working great) but to also slice it by time. I'd like to know the ratio every 60 minutes, over 7 days.
Something like:
| parse ____ as MyField
| timeslice 60
| if (MyField matches "A", 1, 0) as CountA
| if (MyField matches "B", 1, 0) as CountB
| sum(CountA) as SumA, sum(CountB) as SumB
| SumA/SumB as MyRatio| by _timeslice
I've tried a bunch of different variations, but I can't seem to grok the right concept.
-
Give the following a try. This will tell the query to sum your records by the timeslice. The ratio should then be on the timesliced values
| parse ____ as MyField
| timeslice by 60m
| if (MyField matches "A", 1, 0) as CountA
| if (MyField matches "B", 1, 0) as CountB
| sum(CountA) as SumA, sum(CountB) as SumB by _timeslice
| SumA/SumB as MyRatio
Please sign in to leave a comment.
Comments
4 comments