From the data you have shown, none of the cpu_load_percent appear to be over 85. Could this be why the alert hasn't triggered? ... View more

Does running the alert search manually fetches proper results? Start with this base search and slowly add portions of your search, one at a time, to troubleshoot in which steps extraction/calculations are failing index="content" source="catalina.out" "org.apache.catalina.startup.Catalina.start Server startup" NOT Caesium | table _time _raw host ... View more

@richgalloway  Thanks, It worked!! ... View more

I figured out the following, can this be tweaked?   sourcetype="access_log" host=hstname* USERID "search" | eval headers=split(_raw," ") | eval method=mvindex(headers,5) | eval Request=mvindex(headers,6) | eval Status=mvindex(headers,8) | eval Payload=mvindex(headers,9) | eval req_time=mvindex(headers,10) | eval uri=mvindex(headers,11) | eval Method=replace(method,"\"","") | eval uri=replace(uri,"\"","") | eval RequestTime_Seconds = req_time*0.001 | eval Response_Time_in_Seconds= round(RequestTime_Seconds,2) | table Response_Time_in_Seconds host _time Request Status | where Response_Time_in_Seconds > 5   The Output i get:   Response_Time_in_Seconds host _time Request Status 1 5.89 HOSTNAME 2021-08-20 02:40:31 /rest/api/2/search 200 2 7.34 HOSTNAME 2021-08-20 04:42:25 /rest/api/2/search 200 ... View more

You might want to format the day column | fieldformat day=strftime(day,"%Y-%m-%d") ... View more

Hi @praneethlekkala, good for you! Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more