I tried using the map command in my index but my lookup return is getting messed up also the maxspan is not taking effect. Below is my updated script:
| search Id="*"
| lookup error_rules.csv EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| table Id PublisherMessage EventSubType PublisherTimestamp alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| map search="search index=* | transaction Id PublisherMessage maxspan=$span_time$"
stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time
Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit
Failed to Ping Computer,Critical,7m,0,0,0
Application Error,Warning,5m,0,0,0
... View more