Dear Splunkers, I have a flow of events and need to perform alarm when some value, e.g. metricValue is greater than threshold and set state level and last level fields to be calculated following way: first event or value is less than threshold = stateLevel=0 => value greater than threshold state level = lastLevel+1 and till max level (custom value provided by Client) => value less than threshold > stateLevel = lastLevel -1. with my current search lastLevel is always not greater than 1, stateLevel is not greater than 2. I have a question on what's wrong with my eval command: maxLevel = 3 | streamstats current=f window=1 last(dl_dmax) as lastDmax, last(stateLevel) as lastStateLevel by _time | eval stateLevel = if(isnull(lastStateLevel), 0, lastStateLevel) | eval lastLevel = if(lastDmax>threshold, case(stateLevel<maxLevel, stateLevel+1, stateLevel==maxLevel, maxLevel), case(stateLevel!=0, stateLevel-1, stateLevel=0, 0)) | eval stateLevel = if(metricValue>threshold, case(lastLevel<maxLevel, lastLevel+1, lastLevel==maxLevel, maxLevel), case(lastLevel!=0, lastLevel-1, lastLevel=0, 0)) | table threshold, metricValue, maxLevel, alertLevel, clearLevel, lastLevel, stateLevel
... View more