Hi,

We are using servicenow which has been integrated with Splunk to generate incidents.

The current query works fine for single failure but checking to generate incident if a log backup failed repeatedly for 3 times and then generate an incident.

My current eval looks like:

| eval
itsi_entity=objectName,
itsi_event_key=objectId,
itsi_correlation_key=objectId,
itsi_summary="Backup "+eventStatus+" for "+objectName,
message=message,
itsi_message="Alerting time: "+human_readable_time+"~~"+field1+"~~"+field2+"~~"+field3+"~~"+field4+"~~"+field5+"~~"+field6+"~~"+field7+"~~"+field8,
itsi_impact=case(
message like("%Failed log backup of Oracle Database%") ,"High",
message like("%Failed backup of Oracle Database%"),"High",
true(), "Medium"),
itsi_urgency=case(
message like("%Failed log backup of Oracle Database%"), "High",
message like("%Failed backup of Oracle Database%"), "High",
true(), "Medium")

I need to have something in itsi_impact case statements for "failed log backup" failed for 3 times then generate high incident. I tried to keep eval and count fields in case statement but not working.