I want something like that.
I tried to use the following query.
| eval status_envio=if(tempo_status<=172800, "notificacao", [ search notable | search status_label=Resolved | eval owner="Automatic" | eval urgency="informational" | eval status=5 | eval comment="Finished" | rex mode=sed field=comment "s/,/\n/g" | eval user="Automatic" | eval time=now() | outputlookup append=true incident_review_lookup ] )
... View more