Hi,  I have set up an alert and under Actions, I have added 'Add to triggered Alerts'.  I would like to be able to use an API to retrieve the actual results of a specific triggered alert (Example, get the results of the alert triggered at 17.43.  I am using alerts/fired_alerts/<alert_name> but it just gives me the list of trigger history.  Is it possible to be able to retrieve the actual results? Preferably in JSON  

Hi all, I'm trying to create a "Fallback escalation rate" for a chatbot. This rate would be calculated by users that hit the fallback intent, and then ask for an agent anytime after that, within a given session.  For context, when a user says something, we use an intent classifier to try and match it to an intent. If we can't match the user input to an intent, it hits our fallback intent. And if a user asks for an agent, it hits the followup_live_agent intent. Each session contains multiple events, and each event represents one intent.  Today, we calculate "Escalation rate" by counting the sessions with at least one "followup_live_agent" intent. Here's the search query I created for that:      index=conversation sourcetype=cui-orchestration-log botId=123456 | eval AgentRequests=if(match(intent, "followup_live_agent"), 1, 0) | stats sum(AgentRequests) as Totaled by sessionId | eval Cohort=case(Totaled=0, "Cooperated", Totaled>=1, "Escalated") | stats count by Cohort | eventstats sum(count) as Total | eval Agent_Request_Rate = round(count*100/Total,2)."%" | fields - Total | where Cohort="Escalated"       I need to know how to calculate this same thing, but only after the fallback intent is hit. I figure I need to retain the timestamp and do some calculation using that. I'm not even sure how to get started on this, so if anyone could point me in the right direction, that would be really helpful. 

Does anyone have troubleshooting steps on how to troubleshoot parse time or index time related issue.  The use case sourcetype override or sending thing to nullQueue and filter. The reason for asking is that I didn't see anything in the internal logs or search string that was obvious to me.  Any tips can help...  Thanks in advance 

Hi, the initial situation is the following: I have an all-in-one instance, that simultaneously takes on the role of the DS, and a UF that sends its data to the AiO. The required stanzas were distributed as a separate app, in addition to the Linux TA via the DS. Scripted inputs from the TA like "vmstat.sh" or "netstat.sh" can be browsed on the AiO and work so far. In the next step I wanted to activate the "cpu_metric.sh" stanza and proceeded like this: 1. I created a metric index on the AiO, called "linux_metrics". 2. I configured the inputs.conf under the "deployment-apps" on the AiO and enabled the stanza. This config was pushed to the UF, or rather it was pulled by the UF. Config: [script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu_metric.sh] interval = 30 disabled = 0 index = linux_metrics Unfortunately, however, no data ran into my metric index. "For fun" I tried the same procedure for other metric stanzas, which then immediately passed their data to the dedicated indexer. Standard solutions, like installing sysstat, have already been tried. Maybe one of you can think of something else. Thanks in advance.