Could you support me, what would this research look like? ... View more

I understand. I managed to make a little progress using the strategy of pulling through triggered alerts. My research is as follows:****** ... View more

I understand. You can make a little progress using the strategy of pulling alerts that are triggered. My research is as follows: index=_audit action="alert_fired" ss_app=search ss_name="alert 1" OR ss_name="alert 2" | rename ss_name AS title | stats count by title, ss_app, _time | sort -_time In this research I can bring up the two alerts that I want to combine. Is it possible to get certain fields from these two alerts? In this case, I want to get the user. I can only generate the alert if the user is the same, the problem is that there are two different log providers and therefore, the field that has the user value has different names. ... View more