Thanks for the clue @isoutamo I did respective changes, and I got the solution. ... View more

@richgalloway I didn`t get any results other than success. I need other than success saved alerts out of 4.   ... View more

@richgalloway Hello, thanks for the query i got great results, so some more need to do based on the below query, I need an alert for if any of the searches are not run I need the alert to mail. index=_internal source=*scheduler.log search_type=scheduled savedsearch_name="Expiry of SSL Certificates for UI Instances" OR savedsearch_name="Expiry of SSL Certificates for FR Instances" OR savedsearch_name="Expiry of SSL Certificates for Mulesoft Instances" OR savedsearch_name="Expiry of DNS SSL Certificates" | stats count by savedsearch_name   ... View more

@ITWhisperer the events are related to "nextFromDate for Ariba query set in s3 fromDateTimeUTC" and the fields are below listed, in the files "Message" is extracted by me, based on that also some are not extracting under "Message" field.   ... View more

@ITWhisperer as per our yesterday's discussion i got the exact results. So same like this in some of the events am not able to get like this the Message field is not taking up to extract while combining in Example 2. Example 1: Perfect output host="mules1" OR host="mules2" Message="message: Start of Flow CreateUser flow" OR Message="message: All system calls for CREATE user is completed" | stats count by Message | transpose 0 header_field=Message | eval Failures='message: Start of Flow CreateUser flow'-'message: All system calls for CREATE user is completed' | transpose 0 column_name=message header_field=column Example 2: getting issue but Individually showing events,   ... View more

@priyanka_231019 no use showing nothing,   ... View more

@venkatasri its not showing any results based on your query I tried: No output The output will be like this: Search: host="mules1" OR host="mules2" "nextFromDate for Ariba query set in s3 fromDateTimeUTC" Output:     ... View more

@ITWhisperer thanks for the swift response, i got the exact results. ... View more

I created CSV like this: Next created query like this: The process_names shows like this:     ... View more

 T@gcusello: The application team creates manually. #: var/log/services.txt services.txt file contains, below logs, it looks like this. These logs are ingested with Splunk. So based on this I can't able to correlate the file because of logs like this.   ... View more

Yes, I did the same what you suggested, but no luck. If you can share the zoom meeting, please let me know will discuss it live. ... View more

Sorry @gcusello this is not working, based on this the alert triggers still "Kafka" included logs. ... View more

@gcusello  what are all you suggesting it's not working for me, you can see the sample alert I got. Please help, if the keyword in the below list is not in any events will get mail. Can you provide a solution for this?   ... View more

@gcusello Thanks for helping! If you see the below query and latest log in that able to see the "Kafka" is running, So in the same case I need if the service "Kafka" is not present in that list I want to know with alert.   ... View more

@gcusello there is no fields to segregate. Actually, the question is In a Linux machined using JPS command some services is are running, ex: Kafka, JPS etc with PID, if any services are stopped we need to get an alert. Here some tricky idea I have, so if the keyword "Kafka" is not seen in events for more than 1 minute I want to get that alert, so based on this the application team to know oh! the Kafka services are not running in that particulate host. Here is the Query: index="main" host="linux machine" source="logs" "Kafka" Please suggest the query to get the alert when "Kafka" word is seen more than 1 minitue. ... View more