https://community.splunk.com/t5/Splunk-Search/Search-based-on-a-previous-conditions-Or-alert-that-exec/m-p/670567#M229862 <P>Hello!&nbsp;</P><P>Is it possible to implement something like this?<BR />I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file.</P><P>My search now looks like this:</P><P>| tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host<BR />| lookup devs_hosts_names.csv host OUTPUT dev_name<BR />| eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host")<BR />| eval status = if((now() - lastSeen&lt;=60),"up","down")<BR />| eval status = if(isnotnull(lastSeen),status,"unknow")<BR />| search NOT<BR />[| inputlookup devs_status.csv<BR />| fields host dev_name status]<BR />| convert ctime(*Seen)<BR />| table host dev_name status lastSeen</P><P>| - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update)&nbsp; devs_status.csv&nbsp;</P><P>But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk?</P><P>Thanks.</P><P>&nbsp;</P> Sun, 03 Dec 2023 16:00:23 GMT Kim 2023-12-03T16:00:23Z https://community.splunk.com/t5/Splunk-Search/Search-based-on-a-previous-conditions-Or-alert-that-exec/m-p/670567#M229862 <P>Hello!&nbsp;</P><P>Is it possible to implement something like this?<BR />I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file.</P><P>My search now looks like this:</P><P>| tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host<BR />| lookup devs_hosts_names.csv host OUTPUT dev_name<BR />| eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host")<BR />| eval status = if((now() - lastSeen&lt;=60),"up","down")<BR />| eval status = if(isnotnull(lastSeen),status,"unknow")<BR />| search NOT<BR />[| inputlookup devs_status.csv<BR />| fields host dev_name status]<BR />| convert ctime(*Seen)<BR />| table host dev_name status lastSeen</P><P>| - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update)&nbsp; devs_status.csv&nbsp;</P><P>But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk?</P><P>Thanks.</P><P>&nbsp;</P> Sun, 03 Dec 2023 16:00:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-based-on-a-previous-conditions-Or-alert-that-exec/m-p/670567#M229862 Kim 2023-12-03T16:00:23Z