event status : False positive (25 may) False positive (24 may) Investigating (23 may) Investigating (22 may) Service degradation (21 may)
Hear status changed Service degradation to investigating then alert wants to raised then status changed investigating to investigating then alert is not raised. then status changed from investigating to false positive then alert wants raised.
dash board query: index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online" | eval myTimeNewEpoch=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S") | eval UpdatedTime=strftime(myTimeNewEpoch,"%Y-%m-%d %H:%M:%S") | table LastUpdatedTime DisplayName Status Description | rename UpdatedTime as Time DisplayName as Application | sort -Time
please help me with the query to create the alert
Thanks in advance
... View more