I am new to Splunk and trying to create an alert for a message however I keep getting false positives on the message been sent seconds apart.
I would like the search to find event with the message been sent over 45 minutes.
Anyone have any ideas or is the search too complex?
index=wh_trading_feeds KICKOFF_*_FIRST_HALF NOT KICKOFF_*_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" | stats count by whId | where count = 2 | eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/"+whId earliest=@now() latest=+45m | table eventTitle
... View more