Hello All, I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.   | dbxquery query="SELECT eventTriggeredDate, APPLICATION_NAME, APPLICATION_NAMEENV, APPLICATION_GROUP, eventChain, eventType, eventMessage, eventMod, eventRule, eventSeverity FROM Admin.console.v_ES_RelevantEvents55 WHERE eventTriggeredDays <= 7 AND (APPLICATION_NAME='ABC_PRD' OR APPLICATION_NAME='XYZ-PRD') AND APPLICATION_NAMEENV='PRD'" connection="TESTING_DEV" | lookup users_email.csv "Application Name" as APPLICATION_NAME OUTPUT "Admin email" as Admin_email "QA email" as QA_email "Developers email" as Developers_email | lookup policy_details.csv policy_name as eventRule OUTPUT policy_description | eval users_mail = Admin_email.",".Developers_email.",".QA_email | stats count as Total_Events values(eventChain) as "Event Policy/Rule" values(eventType) as "Event Type" values(eventMod) as "Event Mod/Policy" values(eventRule) as "Event Rule" values(users_mail) as users_mail values(eventMessage) as eventMessage values(policy_description) as policy_description by APPLICATION_NAME, eventSeverity | eval eventMessage=mvindex(eventMessage, 0, 20) | where Total_Events > 10 | table APPLICATION_NAME, Total_Events, eventSeverity, "Event Type", "Event Rule", users_mail, eventMessage, policy_description | rename APPLICATION_NAME as application_name, Total_Events as number_of_events, eventSeverity as event_severity, "Event Type" as event_type, "Event Rule" as event_rule, eventMessage as event_message   I have given email list as $result.users_mail$, the values from the filed users_mail. I see the alert being triggered but i don't receive an email. Also is there a way we can add external links to the Splunk Alerts?

I am trying to filter my search results where only a particular subset of the results should be shown. Example suppose if below is the intermediate search result.  MESSAGE: Records::0 MESSAGE: Records::1 MESSAGE: Records::0 MESSAGE: Records::4 Final search results should contain only where the records are greater than 0. Is there any query which can help with this?

#mission_control, # splunk cloud Hi  In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control.  USE CASE:  The enterprise security manger wants a DASHBOARD which will inform him about :  if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident > averaged over a month.   For ES team I have lookup file or also I can type there name(Only 7-8 people) > I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time & create_time , averaged out over month.  Field we have : | mcincidents   add_response_stats=true | eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p") | eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p") | table assigne, create_time, update_time, description, disposition, id, incident_type, name, sensitivity, source_type, summary