Can you help me with a query I have for an alert?


Hello experts,

I am new to Splunk. I have a file with below values. I have Indexed time as well. I need to write a query to alert for if any id has text=started and consequent 2 other texts ( it can be anything) for the same id in < 5 minutes.

id text
123 started
123 in progress
123 halted
213 started
213 finished
456 started
456 running
456 in progress

Kindly help.

I tried:

index=test  text="started" |stats count by id. But that is showing only the started ones and does not have the other texts . The other texts are random so cannot specify in a search.

Thanks a lot,


 (your search)
| transaction id maxspan=5m startswith="started"
| where eventcount>2
