Hi @richgalloway  My ask was  Corn schedule: every 3 hours exclude from 10pm to 7 am  We don't want to receive alert from 10 pm to 7 am ... View more

There was some maintenance activity was there ... View more

I just tried for 4 to 5 alerts it not trigger yesterday But again I tried today I am getting auto cuts now Not sure what happened    ... View more

Around when ServiceNow and Splunk integration was done? recent or long back? Long back    the servicenow tickets auto cut(incident creation) was working fine previously Yes it was working fine  did you do any upgrades recently?(on SH, indexers, the apps, etc) No recent upgraded ... View more

Hi @richgalloway . , thank you it worked. I have one more question is there any way I can restrict events in splunk For example From the above query if I get 10 same logs in 1 hour How can I write a query to fetch only 5 records in 1 hour ... View more

I want to see the list of  alerts  that are scheduled to run every 10 minutes ... View more

@bowesmana , thank you for the query But I am getting all the alerts how can I add filter to see only 10 mins scheduled alerts I tried using search or where command for cron scheduled field but it not coming. ... View more

i am using the below query by mention join, please let me know is this query correct ???? index=app-map-idx   shname=niht_map_* | append [| inputlookup   customerdata.csv |addinfo | where  _time>=info_min_time AND _time<=info_max_time  |fields - info* |eval done=1, shname=device."_name",  source=device."_name"] |table _time   sys operation web pass fail fvb  quantity done shname |eventstats sum(done) as done by shname sys |bucket _time span=w |stats sum(*) as * values(done) as done dc(web) as webb by _time shname  sys operation |appendpipe [| search sys="wi lapcdmb" operation="login page" OR operation="app page" OR operation="userpage" OR operation="custpage"] |foreach pass fail  fvb  quantity [|eval  <<FIELD>>=<<FILED>>*0.09] |eval sys="pim"] | eval  "pass percentage"=pass/quantity*100 |eval iel=fail/quantity*100 |fillnull fvb value=0 |rename  pass as Pass,   fail as Fail,  sys as Sys,  fvb as Fvb,   quantity as Quantity,  operation as Operation,  webb as Webb |lookup application.csv Sys  OUTPUT   App  mtr |search mtr=given |table  _time pass percentage iel App Sys  Operation Webb Pass Fail Qyantity Fvb   |sort 0 Sys |join type=left _time Sys Operation Webb [search  index=blrm-app-idx  sourcetype=blrm_appl  "QA: ab"  OR "QA: cd"  OR "QA: ef"  OR "QA: gh" (procedure=POST web="/cate/surface*")  OR  (procedure=GET web="/choc/plain/otp*")  OR  (procedure=POST web="/may/duration")  OR  (procedure=GET web="/year/days")  OR   web="/nam/power/error")  OR  web="/move/cloud")  OR   web="/mont/days NOT [|inputlookup  angryer.csv |rename PI as result |fields result] | eval  type=case((faildigit=978 OR faildigit=435 OR faildigit=543 OR faildigit=987), "error", (faildigit>98763 AND faildigit<98765 )  OR faildigit=123 OR faildigit=456 OR faildigit=789,  fvb,  isnull(faildigit), "pass",   isnotnull(faildigit), "error") |search pipe = "error" |eval operation=case(match(web,  "/cate/surface*"),  sigin app - customer,   procedure=GET AND  web="/choc/plain/otp*") ,  sigin app - application,   procedure=POST AND web="/may/duration",  sigin app - client,   procedure=GET  AND web="/year/days", sigin app - app1,  OR   web="/nam/power/error",  sigin app - app2  OR  web="/move/cloud", sigin app - app3 OR   web="/mont/days, sigin app - app4,  1=1, "unknown") |eval  web = procedure." ".web |eval sys= case (cliapp=ab,  applibase,   cliapp=cd,  cusbase,    cliapp=ef,  efffilm,   cliapp=gh    gohome,  1=1, null()) |bin _time span=1h |stats dc(cust_ip) as effect_apps  by _time sys operation |appendpipe [|lookup application.csv  App OUTPUT App mtr |search mtr=given]]  ... View more

when i use left join i am not getting values under effect_apps. ... View more

sure will try, thank you ... View more