Hi @isoutamo, thanks for the reply Unfortunately, I dont know how many processes are writing to said file. I can only use it "as is". You are right however, this issue should be addressed on the side of the application(s) writing to that file. Regards ... View more

Of course, sorry I didnt think about that beforehand <row> <panel> <table> <title>Latest events</title> <search> <query>| rest /servicesNS/-/-/alerts/fired_alerts/- | search eai:acl.app = myapp severity = 3</query> <earliest>$alerts_timepicker.earliest$</earliest> <latest>$alerts_timepicker.latest$</latest> <refresh>10m</refresh> <refreshType>delay</refreshType> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="search_id">$row.sid$</set> </drilldown> </table> </panel> </row> <row> <panel> <event> <title>Alert Details</title> <search> <query>| loadjob $search_id$ </query> <earliest>$alerts_timepicker.earliest$</earliest> <latest>$alerts_timepicker.latest$</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row>   ... View more

Ciao @gcusello  Thank you for your continued help. I must be doing something fundamentally wrong. If I run the search as you describe it, it returns zero results. Current setup Index = "myIndex" eventtype = "myEventtype" returns 1196 events Lookup file "known-events" contains a single event, identified by the "composite primary key": _time, host, source_file I would thus expect that the query you provided returns 1196 - 1 results. To  adress your point and make sure that the field names are the exact same, I tried this: index = myIndex eventtype = myEventtype | fields _time, host, source_file NOT [| inputlookup known-events.csv | fields _time, host, source_file ] This gives the following error: Error in 'fields' command: Invalid argument: 'source_file=some_file_name-[some-host_name].txt'  I am not quite sure what to make of this ... View more

Hi @zapping575, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hehe 🙂 Alright, thanks for your input! ... View more

Hi @zapping575, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Acknowledged. thanks ... View more

Thats a really good question. I have the alert setup to run every hour. The reason I am searching within the last 30 days is because I have some thresholds at hand for my alerts. Those thresholds are per host and per month. It just occurred to me that if the threshold for an alert is zero (which it is for the alert in question) I might as well ignore the per-month rule. So I could just search within the last hour instead while still suppressing previous alerts for the past hour and the field _time. This still isnt "perfect" but better than getting all events from the past 30 days listed in the alert results. ... View more