You know, sometimes you know something but until you really test all options you're just not sure. WIth a "count", like | tstats count WHERE index="<index>" earliest="-5min" latest=now() | `<mail_...
See more...
You know, sometimes you know something but until you really test all options you're just not sure. WIth a "count", like | tstats count WHERE index="<index>" earliest="-5min" latest=now() | `<mail_macro>` | rename count as "Events" There will always be at least one result "0" (zero). It also does not matter if the count is 0 or 99999999, there is exactly 1 result. So the email macro does work, the condition "Number of results = 0" just fails, and it will fail producing false positives with ">=1" as well. I forgot about "custom trigger conditions" though, which is likely the best solution for the intended usecase. | tstats count WHERE index="<index>" earliest="-5min" latest=now() | eval Information = if(count="0", "Currently f-d","Working") | `<mail_macro>` | rename count as "Events" Then using a "custom trigger" like 'search Events = "Currently f-d"' works just as well as the solution outputing only results where there were events last x minutes but are zero events current x minutes. Probably more effective as well. Thank you both for your help, the community here is fantastic