Hi Splunk team, I would like to ask if we can alert user for 2/3 OOC (out of control) points grouped by host ordered by time. so if we have time based value, we would like to: 1. group it by its host first 2. sort order each host group(s) by time 3. grouped into smaller group with size 3 and check if there is 2 out of 3 points in the smaller group have OOC data. 3 out of 3 is also consider true condition to alert. For example: OOC condition: value greater than 2 host time value OOC A 0:01 1 NO A 0:02 3 YES A 0:02 1 NO A 0:03 3 YES A 0:04 3 YES A 0:06 3 YES B 0:06 1 NO B 0:08 3 YES B 0:09 5 YES I already color into orange, green, and blue color above. So if we have this data, we would alert because green and blue fulfill the alert condition. orange one did not fulfill because only 1 out of 3 OOC. Please let me know if its possible to alert this way. Thank you.
... View more