Just to add more here, here is complete search: | from datamodel:"Project_job_events"| where clusterName=="ITS07-SD02A" | where eventStatus=="Failure" | table _time,objectName,message,locationName,,eventStatus,objectType,objectId,_raw I did below for each fields, | eval json_field=split(_raw,",") | eval field1=mvindex(json_field,1) | eval itsi_entity=objectName, itsi_event_key=objectId, itsi_correlation_key=objectId, message=message, itsi_message="Alerting time: "+human_readable_time+"~~"+field1+"~~"+field2+"~~"+field3+"~~"+field4+"~~"+field5+"~~"+field6+"~~"+field7+"~~"+field8, itsi_impact=case( message like("%Failed project %") | ,"High" message like("%Failed Compliance Project%"),"High", true(), "Medium"), itsi_urgency=case( message like("%Failed project %"), "High", message like("%Failed Compliance project%"), "High", true(),"Medium") Requirement - For a message like "Failed project" , the search should basically count for 3 times failure and then send an alert. The below search works when we run index and so on but when try to keep in eval statement it does not. Moreover I tried keeping above itsi_impact and inside of that as well, still no luck
... View more