In this recipe, you created a search to look for abnormal web page response times by creating an alert to trigger when the maximum response time in the last hour for a given web page is five times greater than the average response time for that page at the same time yesterday.
We chose to get the average from the same period yesterday, as the data might be abnormal today. You might wish to look back over a wider period, such as 7 days, to get a more accurate average. Alternatively, you might have a hardcoded threshold for the number of milliseconds within which a web page must respond that you could use instead.
Let's break the search down piece by piece:
|
Search fragment |
Description |
index=main sourcetype=access_combined ... |
