This works fine when there is no repetition in the multivalued field.It fails such scenraio. Any suggestions in this regard?   ... View more

thx a lot! ... View more

So would it have to get to greater than 10 before a single alert? I need to be able to catch the ones that just come in once as well. What I'm trying to avoid is for the ones that come in 10 times within one minute, to just report on that specific alert once. If you need to be notified as soon as ONE event comes in then change the alert value "Greater than" to 0. Ok, so is there a way with this feature to say that if the alert is only one time, forward to OpsGenie... and if the alert is greater than 5 in 5 minutes, alert only once to OpsGenie? So you need to define two different notification behaviours according to the volume of the alert? I think the easiest way to do so is to clone the alert condition and change the triggers: - Forward to OpsGenie: is Greater than 0 in 1 minute, trigger "for each result", no throttle (be careful: this setting can create A LOT of notifications) - Alert to OpsGenie: is greater than 5 in 5 minutes, trigger "Once", throttle 24h (or something like that) ... View more

host="SERVER_Number_*" "Game Starting..." | timechart span=1d count by host Timechart already groups by _time so there is no need to add it ... View more

In your search your have replaced the where command with | where mvcount(MemberName)<2 and since the MemberName field is unique the filter does not work. Replace this with the original | where mvcount(EventCode)<2 and it should work fine. Yeah, yeah you are right Thank you very much for excellent help! I use the next code and it seems works fine: source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 OR EventCode=4733 | rex field=_raw "Message=(?\S+.*)" | rex field=_raw "Subject:\s+.*\s+Account Name:\s+(?\S+.*)" | rex field=_raw "Member:\s+Security ID:\s+(?\S+.*)" | rex field=_raw "Group:\s+.*\s+Group Name:\s+(?\S+.*)" | transaction host MemberName | where mvcount(EventCode)<2 | fieldformat Date=strftime(Date,"%x %X") | table host, EventCode, Descript, UserName, MemberName, GName, _time | rename host as Host EventCode as "Event Code" MemberName as "Member Name" GName as "Local Group" _time as Date Descript as Description UserName as CDSID ... View more

Thank you for your help! I don't think this would work because I have so many URLs that I would not be able to write a like statement for all of them. ... View more

Thank You, I still misspell some comma here and there but your logic is way simpler and faster to use. ... View more

Try something like this (assuming there are no duplicate request-response set of events for a TransId index=TEST Source=Log1 "Request received" OR "Response sent" |rex field=_raw "DT=(?<DT>.*?) \|"| eval _time=strptime(DT,"%Y-%m-%d %H:%M:%S.%3N") | rex field=_raw "Type=(?<Type>\w+)" | chart values(_time) over TransID by Type | eval _time=Request | eval ResponseTime=Response-Request | timechart span=15m avg (ResponseTime) AS AvgResponseTime ... View more