oh one more thing, the content between "=" and "request" could be any number of character or number and can have multiple spaces as well ... View more

@richgalloway  the text trying to match here is anything after "=", until "request" so the complete text here is  message=abc ef x request-id ... View more

Hello @richgalloway  Thank you for taking the time and explaining. I really appreciate the time you vested in explaining this. Interestingly this one works      | rex field=_raw message="(?<message>.*).request"   So does the    | rex field=_raw "message="(?<message>.*).request""   but not the    "message=\\\"(?<message>.*).request\\\""   when I say work, I mean it is giving the desired result and by not working I mean not giving the desired result. Although in none of the cases there wasn't any syntax error. The one with the escaped quotation mark only gives the result until before the spaces i.e. if it is "message=abc efg request-id", it only prints "abc". Does this have anything to do with the Splunk version? 2. Regarding The sequence .* ("dot-star") means "everything from here on"  - I am assuming this regex and nothing to do with Splunk itself. So I tried to use this concept in a sublime text editor to see what happens. I used    message=Error translating Grubhub webhook order: The location for this order cannot be found request-id   and tried to replace message=.* with let's say new. I found the entire thing got wiped out and replaced with new. I was expecting something like message=new. I even tried message="(?.*).request", "message="(?.*).request"", but no changes happened. Is it because Splunk uses some different regex logic than sublime text editor? 3. I am still confused about the use of quotation mark, I tried using the website which you mentioned, but it confused me more lol.  ... View more

Hi @to4kawa can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where service | where not reason like "%P%" |table status, reason ... View more

I am only using where but still the same ... View more

Hello @to4kawa It is still giving me values "X" and "Y" ... View more

Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)] and my <search criteria> is service ... View more

Hello @gcusello Thank you. I think i can use this ... View more

Hello @gcusello Can you help me with the syntax if i want to use date_wday and date_hour ... View more

It seems the splunk integration was broken because I did not include some text in the message section. All sorted and thanks for your help ... View more

although I am using earliest but i still changed the time range from alert configuration to 2 mins (earlier it was 12 hours) still no luck ... View more

Hello @manjunathmeti @rich7177 Thanks for comments, few questions: As per splunk documentation sunday is treated as 0 Day of the week: 0-6 (where 0 = Sunday) https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/CronExpressions is this not correct? can i not set crons for a single alert like */15 17-8,0-23 * * 1-4,5-0 over here https://share.getcloudapp.com/xQugnl7g OR Do i have to set two separate alerts (for same conditions i.e. to trigger at 50%) with separate crons one like */15 17-8 * * 1-4 and */15 0-23 * * 5-0 ... View more

Hi @harshpatel I dont have access to the backend. I am only using the GUI. Is this something i can retrieve from the GUI? Regards Pradipto Dasgupta ... View more

It does not seem to happening like that, it is considering the occurrences of the previously considered events as well ... View more

I am not sure I understood completely ... View more

yes your understanding is correct exclude result that CONFIRMED for last 3 times. But this query also giving me a merchantId which has status CONFIRMED. Not sure if this relevant but why the below query of streamstats is giving so many result instead just 1, I think the time factor needs to be included to resolve the overall index=apps sourcetype="pos-generic:prod" AND "Received request to change" AND (status=CONFIRMED OR status=REJECTED) merchantId=1400622 partner_account_name="Level Up" | streamstats last(status) AS ABC | table merchantId, ABC https://share.getcloudapp.com/E0uqlD1p ... View more

not sure if this makes any sense, I was trying to break the query little bit more to understand why it is showing merchantId where prev status was confirmed, Executed this index=apps sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED partner_account_name="Level Up" | streamstats last(status) AS prev_status by merchantId | streamstats last(prev_status) AS two_prev_status by merchantId | eval consecutive_alerts=if(status="CONFIRMED" OR prev_status="CONFIRMED" OR two_prev_status="CONFIRMED","ALERT","GOOD") | table merchantId, status, prev_status, two_prev_status, consecutive_alerts | search consecutive_alerts="GOOD" merchantId = 1290828 shows rejected in all three columns status , prev_status & two_prev_status https://share.getcloudapp.com/04uKrBQ4 But if individually try to find this merchantId, the last 2 status is rejected but the 3rd one is confirmed sourcetype="pos-generic:prod" partner_account_name="Level Up" merchantId=1290828 | table _time, status | stats count by _time, status |sort _time desc https://share.getcloudapp.com/xQug9rRz ... View more

BTW I tried changing this line | eval consecutive_alerts=if(status="CONFIRMED" AND prev_status="CONFIRMED" AND two_prev_status="CONFIRMED","ALERT","GOOD") to | eval consecutive_alerts=if(status!="CONFIRMED" AND prev_status!="CONFIRMED" AND two_prev_status!="CONFIRMED","ALERT","GOOD") and | eval consecutive_alerts=if(status="REJECTED" AND prev_status="REJECTED" AND two_prev_status="REJECTED","ALERT","GOOD") but not luck ... View more

I executed this index=apps status=CONFIRMED OR status=REJECTED partner_account_name="Level Up" | stats count by status, merchantId | xyseries merchantId, status, count | eval result = (REJECTED)/((CONFIRMED+REJECTED))*100 | eval count = CONFIRMED + REJECTED | sort result desc | streamstats last(status) AS prev_status by merchantId | streamstats last(prev_status) AS two_prev_status by merchantId | eval consecutive_alerts=if(status="CONFIRMED" AND prev_status="CONFIRMED" AND two_prev_status="CONFIRMED","ALERT","GOOD") I am getting the result like this https://share.getcloudapp.com/p9uKjoKm there are now new columns as prev_status , two_prev_status & consecutive_alerts ( i am fine if these columns are not showing up) but my main objective is to show be merchants in table with their reject % which did not have last 3 consecutive status as confirmed. As per the result tried checking with merchantId=1286021 but i can see there was one last confirmed https://share.getcloudapp.com/lluyzAg7 BTW I tried changing this line | eval consecutive_alerts=if(status="CONFIRMED" AND prev_status="CONFIRMED" AND two_prev_status="CONFIRMED","ALERT","GOOD") to | eval consecutive_alerts=if(status!="CONFIRMED" AND prev_status!="CONFIRMED" AND two_prev_status!="CONFIRMED","ALERT","GOOD") and | eval consecutive_alerts=if(status="REJECTED" AND prev_status="REJECTED" AND two_prev_status="REJECTED","ALERT","GOOD") but not luck ... View more