https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559442#M158935 <P>Hi All,</P><P>I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row.&nbsp;</P><P>so far the search I have is I am unsure how to include/return two machines of the same name:</P><P>index="login_pi" source="WinEventLog:LoginPI Events" SourceName="Application Threshold Exceeded"<BR />| rex field=_raw "Actual value\\\":\s+\\\"(?&lt;actual_value&gt;\d+)"<BR />| search actual_value&gt;=10<BR />| table Target,actual_value,ApplicationName,Title</P><P>here is an example event:</P><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="raw-event normal wrap "><SPAN class="t">07/14/2021</SPAN> <SPAN class="t">10:39:49</SPAN> <SPAN class="t">AM</SPAN> <SPAN class="t">LogName=LoginPI</SPAN> <SPAN class="t">Events</SPAN> <SPAN class="t">EventCode=800</SPAN> <SPAN class="t">EventType=4</SPAN> <SPAN class="t">ComputerName=RNBSVSIMGT02.rightnetworks.com</SPAN> <SPAN class="t">SourceName=Application</SPAN> <SPAN class="t">Threshold</SPAN> <SPAN class="t">Exceeded</SPAN> <SPAN class="t">Type=Information</SPAN> <SPAN class="t">RecordNumber=1786721</SPAN> <SPAN class="t">Keywords=Classic</SPAN> <SPAN class="t">TaskCategory=None</SPAN> <SPAN class="t">OpCode=Info</SPAN> <SPAN class="t">Message=</SPAN>{ "<SPAN class="t">Description</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">Measurement</SPAN> <SPAN class="t">duration</SPAN> (<SPAN class="t">7.561s</SPAN>) <SPAN class="t">exceeded</SPAN> <SPAN class="t">threshold</SPAN> <SPAN class="t">of</SPAN> <SPAN class="t">5s</SPAN> (<SPAN class="t">51.22%</SPAN>)", "<SPAN class="t">Actual</SPAN> <SPAN class="t">value</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">7.561</SPAN>", "<SPAN class="t">Threshold</SPAN> <SPAN class="t">value</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">5</SPAN>", "<SPAN class="t">Measurement</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">quickbooksopen_2021</SPAN>", "<SPAN class="t">Locale</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">English</SPAN> (<SPAN class="t">United</SPAN> <SPAN class="t">States</SPAN>)", "<SPAN class="t">RemotingProtocol</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">Rdp</SPAN>", "<SPAN class="t">Resolution</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">1920</SPAN> <SPAN class="t">×</SPAN> <SPAN class="t">1080</SPAN>", "<SPAN class="t">ScaleFactor</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">100%</SPAN>", "<SPAN class="t">Target</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">BPOQCP01S01</SPAN>", "<SPAN class="t">TargetOS</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t h">Microsoft</SPAN> <SPAN class="t">Windows</SPAN> <SPAN class="t">Server</SPAN> <SPAN class="t">2016</SPAN> <SPAN class="t">Standard</SPAN> <SPAN class="t">10.0.14393</SPAN> (<SPAN class="t">1607</SPAN>)", "<SPAN class="t">AppExecutionId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">4ed43186-648c-4e8e-96ee-9e4b52e468cb</SPAN>", "<SPAN class="t">AccountId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">a4a6655b-f7ac-4783-aec5-698a146eb2cf</SPAN>", "<SPAN class="t">AccountName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">rightnetworks\\eloginpi082</SPAN>", "<SPAN class="t">LauncherName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">RNBSVSI23</SPAN>", "<SPAN class="t">EnvironmentName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">BPOQCP01S01</SPAN>", "<SPAN class="t">EnvironmentId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">bc31c8f6-e8c0-4278-93c3-08d8040960f8</SPAN>", "<SPAN class="t">ApplicationName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">QB_2021_Open</SPAN>", "<SPAN class="t">ApplicationId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">ece9c6b9-6662-45be-970d-2708603ca13b</SPAN>", "<SPAN class="t">Title</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">Application</SPAN> <SPAN class="t">threshold</SPAN> <SPAN class="t">exceeded</SPAN>" }</DIV></DIV> Wed, 14 Jul 2021 15:01:56 GMT tkerr1357 2021-07-14T15:01:56Z https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559442#M158935 <P>Hi All,</P><P>I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row.&nbsp;</P><P>so far the search I have is I am unsure how to include/return two machines of the same name:</P><P>index="login_pi" source="WinEventLog:LoginPI Events" SourceName="Application Threshold Exceeded"<BR />| rex field=_raw "Actual value\\\":\s+\\\"(?&lt;actual_value&gt;\d+)"<BR />| search actual_value&gt;=10<BR />| table Target,actual_value,ApplicationName,Title</P><P>here is an example event:</P><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="raw-event normal wrap "><SPAN class="t">07/14/2021</SPAN> <SPAN class="t">10:39:49</SPAN> <SPAN class="t">AM</SPAN> <SPAN class="t">LogName=LoginPI</SPAN> <SPAN class="t">Events</SPAN> <SPAN class="t">EventCode=800</SPAN> <SPAN class="t">EventType=4</SPAN> <SPAN class="t">ComputerName=RNBSVSIMGT02.rightnetworks.com</SPAN> <SPAN class="t">SourceName=Application</SPAN> <SPAN class="t">Threshold</SPAN> <SPAN class="t">Exceeded</SPAN> <SPAN class="t">Type=Information</SPAN> <SPAN class="t">RecordNumber=1786721</SPAN> <SPAN class="t">Keywords=Classic</SPAN> <SPAN class="t">TaskCategory=None</SPAN> <SPAN class="t">OpCode=Info</SPAN> <SPAN class="t">Message=</SPAN>{ "<SPAN class="t">Description</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">Measurement</SPAN> <SPAN class="t">duration</SPAN> (<SPAN class="t">7.561s</SPAN>) <SPAN class="t">exceeded</SPAN> <SPAN class="t">threshold</SPAN> <SPAN class="t">of</SPAN> <SPAN class="t">5s</SPAN> (<SPAN class="t">51.22%</SPAN>)", "<SPAN class="t">Actual</SPAN> <SPAN class="t">value</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">7.561</SPAN>", "<SPAN class="t">Threshold</SPAN> <SPAN class="t">value</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">5</SPAN>", "<SPAN class="t">Measurement</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">quickbooksopen_2021</SPAN>", "<SPAN class="t">Locale</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">English</SPAN> (<SPAN class="t">United</SPAN> <SPAN class="t">States</SPAN>)", "<SPAN class="t">RemotingProtocol</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">Rdp</SPAN>", "<SPAN class="t">Resolution</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">1920</SPAN> <SPAN class="t">×</SPAN> <SPAN class="t">1080</SPAN>", "<SPAN class="t">ScaleFactor</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">100%</SPAN>", "<SPAN class="t">Target</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">BPOQCP01S01</SPAN>", "<SPAN class="t">TargetOS</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t h">Microsoft</SPAN> <SPAN class="t">Windows</SPAN> <SPAN class="t">Server</SPAN> <SPAN class="t">2016</SPAN> <SPAN class="t">Standard</SPAN> <SPAN class="t">10.0.14393</SPAN> (<SPAN class="t">1607</SPAN>)", "<SPAN class="t">AppExecutionId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">4ed43186-648c-4e8e-96ee-9e4b52e468cb</SPAN>", "<SPAN class="t">AccountId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">a4a6655b-f7ac-4783-aec5-698a146eb2cf</SPAN>", "<SPAN class="t">AccountName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">rightnetworks\\eloginpi082</SPAN>", "<SPAN class="t">LauncherName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">RNBSVSI23</SPAN>", "<SPAN class="t">EnvironmentName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">BPOQCP01S01</SPAN>", "<SPAN class="t">EnvironmentId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">bc31c8f6-e8c0-4278-93c3-08d8040960f8</SPAN>", "<SPAN class="t">ApplicationName</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">QB_2021_Open</SPAN>", "<SPAN class="t">ApplicationId</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">ece9c6b9-6662-45be-970d-2708603ca13b</SPAN>", "<SPAN class="t">Title</SPAN>"<SPAN class="t">:</SPAN> "<SPAN class="t">Application</SPAN> <SPAN class="t">threshold</SPAN> <SPAN class="t">exceeded</SPAN>" }</DIV></DIV> Wed, 14 Jul 2021 15:01:56 GMT https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559442#M158935 tkerr1357 2021-07-14T15:01:56Z https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559457#M158938 <LI-CODE lang="markup">| streamstats values(ComputerName) as ComputerNameValues list(ComputerName) as ComputerNameList window=2 | where mvcount(ComputerNameValues) = 1 AND mvcount(ComputerNameList) = 2</LI-CODE> Wed, 14 Jul 2021 16:05:58 GMT https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559457#M158938 ITWhisperer 2021-07-14T16:05:58Z https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559470#M158940 <P>I changed it to target instead of computername but this did the trick.</P> Wed, 14 Jul 2021 17:00:59 GMT https://community.splunk.com/t5/Splunk-Search/search-help/m-p/559470#M158940 tkerr1357 2021-07-14T17:00:59Z