Thank you for the help. I was able to extract the fields now. When I run the query 1, I have found that event_name "pending-transfer" with a task_id of 3 have event_id "1274856" being repeated three times in a row which means that there is no increment in the event_id. However, when I run the query 2 for the same event_name " pending-transfer", it doesn't give any output. Technically, query 2 should send an alert ( I have created the alert to run at every minute but still NO alert was triggered ) because there is no change in the event_id for the event that was triggered at 9/4/22 10:02:39 PM and 9/4/22 09:57:39 PM Not sure if I am missing something. Query 1 : Alert if there is an increment | stats list(_time) as _time list(event_id) as event_id by event_name task_id
| where mvindex(_time, 0) > mvindex(_time, -1) AND mvindex(event_id, 0) > mvindex(event_id, -1)
OR mvindex(_time, 0) < mvindex(_time, -1) AND mvindex(event_id, 0) < mvindex(event_id, -1)
| fieldformat _time = strftime(_time, "%F %H:%M:%S.%3Q") Below is the output that I am getting when I run the query 1: Time event_name task_id event_id 9/4/22 10:02:39 PM pending-transfer 3 1274856 9/4/22 09:57:39 PM pending-transfer 3 1274856 9/4/22 09:52:39 PM pending-transfer 3 1274856 9/4/22 09:47:39 PM pending-transfer 3 1274851 9/4/22 09:37:39 PM pending-transfer 3 1274849 Query 2 : Alert if there is NO increment | stats list(_time) as _time list(event_id) as event_id by event_name task_id
| where mvindex(event_id, 0) = mvindex(event_id, -1)
| fieldformat _time = strftime(_time, "%F %H:%M:%S.%3Q") Thank You
... View more