Hi all,

I made an alert which sends out mail to the respective teams whenever a high priority task has not been updated for more than an hour. The query is as follows:-

index="abc" INC* main_metric,

state="New" OR state="In Progress" OR state="Awaiting Third Party" OR state="Pending" priority = "1 - Critical" OR priority = "2 - High"

| rex field=_raw "main_metric=\"(?<main_metric>\S+\s\d+\:\d+\:\d+)\""

| dedup main_metric

| dedup number

| eval main_metric = upper(main_metric) 

| lookup lookup_inactivity_alert_distribution_list.csv assignment_group OUTPUT "Email_To" "Email_Cc" "Email_Bcc" "Enabled" 

| fillnull value=0

| search number != 0 AND Enabled = "Y" AND main_metric != 0

| eval end=strptime(main_metric, "%Y-%m-%d %H:%M:%S.%N")

| eval start=now()

| eval diff = start - end  

| lookup lookup_frequency_impact.csv impact output "Frequency1" "Frequency2" "Frequency3" "Frequency4" 

| eval freqdiff1 = Frequency1 + 600

| eval freqdiff2 = Frequency2 + 600

| eval freqdiff3 = Frequency3 + 600

| eval freqdiff4 = Frequency4 + 600

|eval result = case('caller_id' = "SCOM System" AND

'diff' >= 'Frequency3' AND  

'diff' <= 'freqdiff3',"outcome1",'caller_id' != "SCOM System" AND 'diff' >= 'Frequency1' AND

'diff' <= 'freqdiff1',"ouitcome2",'caller_id' != "SCOM System" AND 'diff' >= 'Frequency2' AND

'diff' <= 'freqdiff2',"outcome3",'caller_id' != "SCOM System" AND 'diff' >= 'Frequency3' AND

'diff' <= 'freqdiff3',"outcome4",'caller_id' != "SCOM System" AND 'diff' >= 'Frequency4' AND

'diff' <= 'freqdiff4',"outcome5",1==1,"no outcome")

| search result="outcome1" OR result="outcome2" OR result="outcome3" OR result="outcome4" OR result="outcome5" AND state!="Closed"

| table  main_metric priority caller_id result assignment_group u_updated_on "Email_To" Email_Cc Email_Bcc number start end diff Frequency1 Frequency2 Frequency3 Frequency4

| map alert_main_metric_mail assignment_group="$assignment_group$" to="$Email_To$" cc="$Email_cc$" bcc="$Email_Bcc$"

The second lookup handles the frequency with which the alert emails are to be sent with respect to the priority of the ticket. Now the problem that I am having is that if the ticket or task is closed within half an hour of it being created, the alert is still generated. Even if the ticket is de-escalated, the alert is still being received. I tried many modifications in the code but nothing seems to work. Could you all help me with this bug?

P.S.: The map commands connect just the saved search which sends out the emails with the appropriate subject and description.