How to trigger spunk alert for every stat that appears on my query

Question

I currently have a query that results in a couple stats being shown, "Statistics (5)"

I use this query to get those Stats:

index=ms-app  environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
median(stats.overallResponseTimeInMilliSeconds) as "Median"
| table request, "Median" > 3000 | where Median > 3000

I want to create an alert that will trigger every time one stat appears

Currently have my trigger set up like this:

Then i have an action that it will go to a slack channel i created when triggered.

However i do not ever see it being triggered in my slack despite having results in the Statistics section of my query

score 0 · Answer 1 · answered May 12 '20 at 23:28

It is best to use the Trigger alert when Number of Results is greater than 0.

Your trigger alert condition isn't valid. You would use something like where count > 1 and include a stats count at the end of your search expression. This is overly complex though.

It also appears you want to run a search for 7 days worth of data every minute. Depending on the volume, this could be an expensive query. It could be better to look at other options such as summary indexing.

How to trigger spunk alert for every stat that appears on my query

1 Answers1