Hi,

I'm new to correlation searches and I want to create a correlation search that: searches for episodes with the same service_ids, serviceid and where alert_type matches "KPI alert" and checks the status of the most recent episode. If it finds that the most recent episode matching those fields is "normal" status, then it generates new events with the severity "info" with a new key and value like close_episode=yes and all the needed information to add this event to the right episode.

The purpose being that if we have an episode for entity 1 that is critical from 1-1:30pm then episode 2 for entity 1 that is normal from 1:30-2pm I want to be able to create a rule in our NEAP that finds that says if episode 2 for the same entity has returned to normal than close episode 1.

For further context i've including the filtering criteria we are using within our NEAP and the correlation search we are relying on to create alerts.