I thought the entire idea of Splunk is to dynamically change table content based on log messages. No? Joking aside, one possible method is to use transaction. | transaction startswith="AlarmNotification=NEW" endswith="AlarmNotification=CLEARED" AlarmID
| where closed_txn == 0 Here I assume that AlarmID uniquely identifies an alarm that is being cleared. If not, you can add other fields necessary to identify alarm. There are many methods to use stats to accomplish this, too. Assuming AlarmID is unique, you can do | stats values(*) as * by AlarmID
| where NOT AlarmNotification == "CLEARED" Transaction is expensive. So stats is usually preferred. Hope this helps.
... View more