Good afternoon!
Please tell me, on the following request, unfortunately I'm not so familiar with spl to issue a working version now ((
This request is required for notification.
Let me describe the workflow first:
We have a post thread, 12 posts. Each message has a unique routepointID field, the values ​​of this field begin
with numbers and with each message in the chain, the value grows: 1.pointID, 2.pointID (this is an example).
The notification should be processed if one of the messages came out out of order, for example:
Received 1.pointID, 2.pointID waiting for 3.pointID, and comes: 4.pointID need to run an alert.
An example of our query to find message threads from a message flow:

index="main" sourcetype="testsystem-script4"

| eval srcMsgId_Исх_Сообщения=if(len('Correlation_srcMsgId')==0 OR isnull('Correlation_srcMsgId'),'srcMsgId','Correlation_srcMsgId')

| eval timeValue='eventTime'

| eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3N%Z") | sort -eventTime | streamstats values(time) current=f  window=1 as STERAM_RESULT  global=false by srcMsgId_Исх_Сообщения

| eval diff=STERAM_RESULT-time

| stats list(diff)  as TIME_DIF list(eventTime) as eventTime list(srcMsgId) as srcMsgId_Бизнес_Сообщения list(routepointID) as routepointID count as  Кол_Сообщений by srcMsgId_Исх_Сообщения