https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498710#M194919 <P>Further to above I update the query as below:<BR /> index=f5<BR /> | rex field=headers "Host: (?<HOST_URL>[a-zA-Z0-9-.]+.[a-zA-Z]{2,3})" <BR /> | eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.a0a.0.0/16",dest) ,"External_Portal","Internal_Portal") | search host_url="<A href="http://www.*.xx.xx" target="_blank">www.*.xx.xx</A>" portal="External_Portal" <BR /> [ search index=f5 earliest=-5m latest=now <BR /> | rex field=headers "Host: (?<HOST_URL>[a-zA-Z0-9-.]+.[a-zA-Z]{2,3})" <BR /> | stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url<BR /> | eval site_status = if("ok_status" &lt; "not_ok_status" , "site_unavailable" , "site_available") <BR /> | return site_status] <BR /> | fields site_status,dest,host_url</HOST_URL></HOST_URL></P> <P>but no results...?</P> Wed, 30 Sep 2020 03:12:47 GMT riqbal47010 2020-09-30T03:12:47Z https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498709#M194918 <P>Referring below query:</P> <PRE><CODE>index=f5 | rex field=headers "Host: (?&lt;host_url&gt;[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3})" | eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.A0A.0.0/16",dest) ,"External_Portal","Internal_Portal") | stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url **| eval site_status = if("ok_status" &lt; "not_ok_status" , "site_unavailable" , "site_available")** | search host_url="www.*.xxx.xx" | fields + dest host_url site_status </CODE></PRE> <P>================================================<BR /> <STRONG>| eval site_status = if("ok_status" &lt; "not_ok_status" , "site_unavailable" , "site_available")</STRONG> </P> <P>At this stage I want to put the time constraint that if within 5 minutes, if("ok_status" &lt; "not_ok_status") then the site is unavailable.</P> Wed, 30 Sep 2020 03:12:44 GMT https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498709#M194918 riqbal47010 2020-09-30T03:12:44Z https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498710#M194919 <P>Further to above I update the query as below:<BR /> index=f5<BR /> | rex field=headers "Host: (?<HOST_URL>[a-zA-Z0-9-.]+.[a-zA-Z]{2,3})" <BR /> | eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.a0a.0.0/16",dest) ,"External_Portal","Internal_Portal") | search host_url="<A href="http://www.*.xx.xx" target="_blank">www.*.xx.xx</A>" portal="External_Portal" <BR /> [ search index=f5 earliest=-5m latest=now <BR /> | rex field=headers "Host: (?<HOST_URL>[a-zA-Z0-9-.]+.[a-zA-Z]{2,3})" <BR /> | stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url<BR /> | eval site_status = if("ok_status" &lt; "not_ok_status" , "site_unavailable" , "site_available") <BR /> | return site_status] <BR /> | fields site_status,dest,host_url</HOST_URL></HOST_URL></P> <P>but no results...?</P> Wed, 30 Sep 2020 03:12:47 GMT https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498710#M194919 riqbal47010 2020-09-30T03:12:47Z https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498711#M194920 <PRE><CODE>index=f5 sourcetype=your_sourcetype "www.*" dest="10.x0x.*" | rex field=headers "Host: (?&lt;host_url&gt;[^:]+?)" | stats count(eval(status="200")) AS ok_status, count(eval(status="404" OR status="50*")) as not_ok_status by dest,host_url | fields dest host_url ok_status not_ok_status | eval site_status = if(ok_status &lt; not_ok_status , "site_unavailable" , "site_available") </CODE></PRE> <P>I modified it in various ways.how about this?</P> Fri, 29 Nov 2019 15:11:03 GMT https://community.splunk.com/t5/Splunk-Search/add-time-constraint-for-web-site-avilability-check-condition/m-p/498711#M194920 to4kawa 2019-11-29T15:11:03Z