index=xyz host=a12fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")
index=xyz host=a12fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")
index=xyz host=a13fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")
index=xyz host=a13fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")
how to consolidate these alert to single alert?
... View more