Hi,
I am trying to create an alert that I need check if status "work in progress" was opened for more than 1 hour, if status work in progress was opened for than 1 hour and doesn't have the status resolved or closed trigger the alert.
My search eventtype=sc_status | search id!="" AND (status="work in progress" OR status="closed" OR status="Resolved") | search id="IM5020749" | table _time, id, status
Return this:
_time id status
2015-07-03 11:55:40 IM5020749 Resolved
2015-07-03 10:03:36 IM5020749 Work in progress
... View more