outlier alerts

Follow
Avatar
Amir Sela Peled

 

 

Hi,

I want to be able to detect unnormal spikes in the number of certain messages. for example, in the screenshot below the normal behavior is between 100-15,000 messages in 1 hour, so I used this query but I want to modify it so it will alert (message_indicator=1) if the total alert are around 20K. How can I do that? I used this:

-

AND !"with 0 errors")
AND !"errorMessage=null")
AND !"\"remoteGatewayStatus\":\"Error\"")
AND !"schedulingPaymentError=null")
AND !"\"error\": null,")
AND !"response: code = 200,"
|kv auto
|timeslice 1h
|count as message by _timeslice
|outlier message window=10,threshold=10,consecutive=2

 

 

 

 

0

Comments

1 comment

Sort by Date Votes
  • Official comment
    Avatar
    Matt Sullivan
    • Edited

    if by total, you mean within the timeslice, and you are only alerting based on the count, no longer using outlier's standard deviation approach, just replace the outlier line with

    | where _count > 20000

    and then your alert condition is if there are > 0 results.

    if you really mean total over the entire time range of query, rather than each timeslice within, drop the timeslice line and don't include by _timeslice in the count.

    p.s. the kv auto I don't think is doing anything in above so can drop that too.

    Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post