Hi @SplunkSN, ok, but the logs you're using for the alert, come from two different hosts, one active and one passive. So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one. One question, can you have both logs from host1 and host2? if yes, are they different? if they are the same you could dedup results using the duplicated fields that you have in your alert. or you could group results so the host value isn't relevant, could you share your alert search? Ciao. Giuseppe check if the host field in the results of your alarm is only the active host, in this case you can
... View more