https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/638429#M221267 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;</P><P>Hi,</P><P>My usecase is of in between 2 hours if users triggers an alert other than pdm more than 3 times !</P> Mon, 03 Apr 2023 17:46:23 GMT AL3Z 2023-04-03T17:46:23Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/636938#M221182 <P>Hi,<BR />I'm trying to write the spl query on&nbsp; usecase like&nbsp; alertname!="*pdm*"&nbsp; triggerred by user in between like 2 hours how could we achieve using it eval expression.</P> Mon, 03 Apr 2023 19:28:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/636938#M221182 AL3Z 2023-04-03T19:28:10Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/636985#M221188 <P>Hi,</P><P>To find events over the last two hours, use a search similar to the following:</P><P>index=foo alertname!="*pdm*" earliest_time=-2h latest_time=now</P><P>To find multiple occurrences of events by user in a rolling two hour window, schedule an hourly search similar to the following:</P><P>index=foo alertname!="*pdm*" earliest_time=-2h@h latest_time=@h<BR />| eventstats count by alertname user<BR />| where count&gt;1</P><P>To increase the frequency of detection, change the schedule and snap the time values to the same interval. For example, to search a rolling 2 hour window every minute:</P><P>index=foo alertname!="*pdm*" earliest_time=-2h@m latest_time=@m<BR />| eventstats count by alertname user<BR />| where count&gt;1</P><P>You may need to modify your scheduled search settings relative to indexing and scheduling lag in your environment or alternatively, loosen your earliest_time and latest_time predicates and use _index_earliest and _index_latest to constrain the event window. More information on time modifiers is available at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Searchtimemodifiers" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Searchtimemodifiers</A>.</P><P>Is there a more complex problem you're trying to solve?</P> Fri, 31 Mar 2023 23:58:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/636985#M221188 tscroggins 2023-03-31T23:58:58Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/638429#M221267 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;</P><P>Hi,</P><P>My usecase is of in between 2 hours if users triggers an alert other than pdm more than 3 times !</P> Mon, 03 Apr 2023 17:46:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/638429#M221267 AL3Z 2023-04-03T17:46:23Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/639041#M221427 <P>If your alerts are triggered no more frequently than once per minute, the last example should work with an adjusted threshold:</P><P><SPAN>index=foo alertname!="*pdm*" earliest_time=-2h@m latest_time=@m</SPAN><BR /><SPAN>| eventstats count by alertname user</SPAN><BR /><SPAN>| where count&gt;3</SPAN></P> Thu, 06 Apr 2023 15:58:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/639041#M221427 tscroggins 2023-04-06T15:58:15Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/639113#M221443 <P><SPAN>index="YouShouldAlwaysSpecifyYourIndex" AND sourcetype="AndYourSourcetypeToo" AND alertname!="*pdm*"&nbsp;<BR /></SPAN><SPAN>| streamstats time_window=2h count by alertname user</SPAN><BR /><SPAN>| where count&gt;3</SPAN></P> Thu, 06 Apr 2023 23:19:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-eval-expression-using-the-usecase-in-Splunk/m-p/639113#M221443 woodcock 2023-04-06T23:19:42Z