I want to be alerted when our logs indicate that the average duration of commands is over 1 second. However, I cannot figure out how to do the following:
- Filter the query to only log events which have duration information (not all of them do)
- Alert per server. Logs for all servers are in the logs index and I want to know which server is experiencing high command durations. The server ID is on a field in each record.
How can I accomplish these things? Here's a screenshot of my current rule definition. Thank you!
