I have an alert setup in splunk which uses below search string.
index="someapp" sourcetype = "some:app" "some_scheduler" "E
