Hello experts,
I am new to splunk. I have a file with below values .I have Indexed time as well. I need to write a query to alert if any id has text=started and consequent 2 other texts ( it can be anything) for the same id in < 5 minutes.
id text
123 started
123 in progress
123 halted
213 started
213 finished
456 started
456 running
456 in progress
Kindly help.
I tried
index=test text="started" |stats count by id. But that is showing only the started ones and does not have the other texts . The other texts are random so cannot specify in a search.
Thanks a lot,
Cheers,
Naomi
↧