I apologize for my ignorance, but I'm still confused on this. I'll look into aligning my search to an absolute time window. But, for the sake of simplicity, assume I am running this every 5 minutes, searching only the last 5 minutes (accepting the inherent problems with that). Trying to use your example, how would I prevent the alert from triggering when events are greater than 200 between midnight and 12:20am UTC. And what I wanted to change that to between midnight and 2:30am? index=myindex source=logfile* | eval earliest=relative_time(now(),"@d")-(count*86400) | eval latest=relative_time(now(),"@d")-(count*86400)+14400 | stats count as Events by source | where Events >=200 Thank you
... View more