topic Re: email alert for time period that contains multiple items in Splunk Search https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87850#M22454 <P>What is the field name that includes netxdown?</P> Tue, 08 Oct 2013 17:45:42 GMT lukejadamec 2013-10-08T17:45:42Z email alert for time period that contains multiple items https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87847#M22451 <P>I want to send an email alert only when the last X minutes of a log contains "net1 down", "net2 down", "net3 down", and "net4 down". The messages are on different lines. How can I do this with the Splunk search app? Right now I have it send me an alert with results for "net* down" and eyeball it to make sure not all 4 are there.</P> Tue, 08 Oct 2013 17:34:23 GMT https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87847#M22451 scr4tchfury 2013-10-08T17:34:23Z Re: email alert for time period that contains multiple items https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87848#M22452 <P>Are these different lines of the same event, or 4 different events?</P> Tue, 08 Oct 2013 17:37:17 GMT https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87848#M22452 lukejadamec 2013-10-08T17:37:17Z Re: email alert for time period that contains multiple items https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87849#M22453 <P>They are 4 different events.</P> Tue, 08 Oct 2013 17:40:19 GMT https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87849#M22453 scr4tchfury 2013-10-08T17:40:19Z Re: email alert for time period that contains multiple items https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87850#M22454 <P>What is the field name that includes netxdown?</P> Tue, 08 Oct 2013 17:45:42 GMT https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87850#M22454 lukejadamec 2013-10-08T17:45:42Z Re: email alert for time period that contains multiple items https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87851#M22455 <P>Schedule a search to run every 15 minutes</P> <P>Set the alert to trigger if the result count is greater than 3</P> <PRE><CODE>index=yourindex sourcetype=yoursourcetype yourfield="*net1 down*" OR yourfield="*net2 down*" OR yourfield="*net3 down*" OR yourfield="*net4 down*" | dedup yourfield </CODE></PRE> Tue, 08 Oct 2013 17:52:56 GMT https://community.splunk.com/t5/Splunk-Search/email-alert-for-time-period-that-contains-multiple-items/m-p/87851#M22455 lukejadamec 2013-10-08T17:52:56Z