I am trying to create a Splunk alert where the log line is delimited with comma, I need to get the field 4 and check if the value is greater than threshold then raise an alert I am able to search the field from corresponding file but unable to fetch the uniq filed and please help with getting the corresponding field which is delimit with comma > threshold log: when i search for ,dat1, it get me both the lines date,dat1,queue,0,100,0,0,0,0 date,am.dat1,queue,10000,23,34,0,0 index=index host="hostname" source="logpath" dat1
... View more