Use /service/search/jobs REST API.  When you set up an alert, you must have a saved search.  Assuming that you give it a name "My alarming alert: Everybody panic!", the following search will tell you when the last alert happened and when the first clear occurred. (It will display the time of latest clean search if last alert already expired.) | rest /services/search/jobs | where isDone = 1 AND label == "My alarming alert: Everybody panic!" | fields updated resultCount label | eval _time = strptime(updated, "%FT%T.%3N%z") | transaction startswith="resultCount>0" endswith="resultCount=0" keeporphans=1 | fields - _* | where closed_txn == 1 OR resultCount == 0 | eval last_alert_count = max(resultCount) | eval last_alert_time = min(updated) | fields label last_alert_time last_alert_count  

I get this error whether I use <<FIELD>> or <<ITEM>>.  Error in 'EvalCommand': The arguments to the 'mvappend' function are invalid. | eval type=mvappend(if(isnotnull('<<ITEM>>'), '<<ITEM>>', type)) ]

When you say "a list of", I assume that this list is in a field that is single-valued in each event.  Is this correct?  Assuming yes, and assuming a field name of fullname, you can do   | eval fullname = trim(split(fullname, ","), " ") | eval fullname = mvjoin(mvreverse(fullname), " ")   Here is an emulation you can run and compare with real data   | makeresults | fields - _* | eval fullname = "Smith, Suzy" ``` data emulation above ``` | eval fullname = trim(split(fullname, ","), " ") | eval fullname = mvjoin(mvreverse(fullname), " ")   Output is fullname Suzy Smith Hope this helps

Hi, I'm getting the same issue. Waiting for web server at http://x.x.x.x to be available ... done The Splunk web interface is at http://localhost:8000 Tried access the Splunk web but cannot be reached. netstat -an | grep 8000 tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN firewall is disabled. telnet is results below: Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. HTTP/1.1 400 Bad Request Date: Thu, 15 Feb 2024 21:21:05 GMT Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 207 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>HTTP Request was malformed.</p></body></html> Connection closed by foreign host.  

Have you edited the data model to create a new calculated field using your eval command?  That should do it. Be warned, however, that once you modify a DM you own it.  Your copy will override any changes delivered by Splunk.

@ea-2023 If your JSON field 3 has one or more of those field attributes, then after the spath you can do | foreach "Attribute Name", "Resource Name", and "ID" [ | eval type=mvappend(if(isnotnull('<<FIELD>>'), '<<FIELD>>', type) ] which will cycle through the 3 desired fields and for any of the 3 that exist, will make a multi-value field called type with any that do exist.