https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301536#M90790 <P>Example events:<BR /> host1,message,service1,status<BR /> host2,message,service1,status<BR /> host1,message,service2,status</P> Tue, 03 Apr 2018 15:00:14 GMT andrei1bc 2018-04-03T15:00:14Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301534#M90788 <P>Hello,</P> <P>I have the following events:</P> <PRE><CODE>host1,message,service1,status host2,message,service1,status host1,message,service2,status ... </CODE></PRE> <P>Fields extracted as</P> <PRE><CODE>host[x] -&gt; C_Host message -&gt; C_Message service[x] -&gt; C_service status -&gt; C_status </CODE></PRE> <P>alert_actions.conf</P> <PRE><CODE>[update] payload_format = json param.instance = param.message = label = UpdateC param.end_point_id = icon_path = alert_udapte_cam.png is_custom = 1 description = param.status = </CODE></PRE> <P>savedsearches.conf</P> <PRE><CODE>[Update] action.update = 1 action.update.param.instance = $result.C_Service$ action.update.param.message = $result.C_Message$ action.update.param.end_point_id = $result.C_Host$ action.update.param.status = $result.C_Status$ alert.digest_mode = 0 alert.suppress = 1 alert.suppress.period = 15m alert.suppress.fields = $result.C_Service$ alert.track = true counttype = number of events cron_schedule = */1 * * * * disabled = 1 dispatch.earliest_time = -1m dispatch.latest_time = now enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = index=c_alerting sourcetype=c_index_update earliest=-1m </CODE></PRE> <P>The need is to trigger the alert when the status changes and than silence for 15 min, by matching the service to it's host and status. </P> <P>Please assist with the conditioning above, as I am sure that does not look right <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thank you in advance.</P> Tue, 03 Apr 2018 14:31:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301534#M90788 andrei1bc 2018-04-03T14:31:39Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301535#M90789 <P>hello there,<BR /> i would suggest to try and capture the condition in search and alert on "true" statement. in other words, create a search that captured an event you would like to alert on its existence.<BR /> as i am not sure what you mean by "silence for 15 min", can you provide a sample data so we can assist with a search?</P> Tue, 03 Apr 2018 14:43:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301535#M90789 adonio 2018-04-03T14:43:00Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301536#M90790 <P>Example events:<BR /> host1,message,service1,status<BR /> host2,message,service1,status<BR /> host1,message,service2,status</P> Tue, 03 Apr 2018 15:00:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-savedsearch-on-state-change-and-match-fields/m-p/301536#M90790 andrei1bc 2018-04-03T15:00:14Z