Hi , How long after did you get the results ? ... View more

As of May 2017, two new customer certifications are available: Splunk Certified User and Splunk Certified Architect II. Certification policies have been updated as of May 2017. https://www.splunk.com/en_us/view/education/SP-CAAAAH9 NOTE - you have to get "Splunk Certified User" Certification, then only you can do PowerUser Certification. Splunk Certified User https://www.splunk.com/view/SP-CAAAJEN Splunk Certified Power User https://www.splunk.com/view/SP-CAAAP2X Splunk Fundamentals 1 https://www.splunk.com/view/SP-CAAAPX9 Splunk Fundamentals 2 https://www.splunk.com/view/SP-CAAAPYB ... View more

Hi, We are trying the below query. index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1 This query works fine for the first condition(if we get 4 alert within 1 hour then alertme=1) but seems not working properly for second condition( alertme if the events open for more than 30 mins). ... View more