Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add ...
See more...
Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add a message instead of zero: index="ad_windows" EventCode=4776 earliest=-60m@m latest=@m
| eval period=if(_time>now()-60,"Last","Previous")
| stats
count(eval(period="Last")) AS count
latest(_time) AS _time
BY host
| append [
| inputlookup DomainController.csv
| eval count=0
| fields host count
]
| stats sum(count) AS total BY host
| where total=0
| eval _time=if(_time=0,"No events in the period",_time)
| table host _time Avoid to use Real time, because these searches are very heavy for the system: each search takes a CPU and release it when finisces, but RT searches never finish. It's better a scheduled search, even if every minute. Expire, in Splunk there isn't an expiring period for an alert; the expiring period that you see in the alert is for the results (usually 1 day or 1 week) one year I think that's too large and disk space consuming. No, if the alert doesn't trigger an alert condition you don't have a message, if you want a message, you have to use a different search, but what's the utility of a message that's all ok in an alert? an alert should trigger only an error condition, not an OK conditon. Ciao. Giuseppe