We are trying to determine how to create an alert to tell us when other users create alerts. I'm aware this is somewhat recursive thinking.
index=_internal sourcetype=scheduler user=maidman | eval is_realtime=if(searchmatch("sid=rt* OR concurrency_category=real-time_scheduled"),"yes","no")
|table savedsearch_name, user, date_hour, date_minute
Tells me when an alert ran but not the creation date.
... View more