https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586191#M15931 <P>Hey,</P> <P>I have a rule, that report to me each time source stop sending logs to my splunk.</P> <P>I try to make an exception, that when a specific source from a specific host will stop sending logs, it wont trigger an alert.</P> <P>for example:</P> <P>i will get alerts from</P> <P><SPAN>host=* source=*</SPAN></P> <P>but not when its</P> <P>host=windows31 source=application</P> <P>&nbsp;</P> <UL> <LI>Is it possible to do that? because i try to work on it for a few days already.</LI> </UL> <P>&nbsp;</P> Wed, 23 Feb 2022 16:41:58 GMT Tomers 2022-02-23T16:41:58Z https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586191#M15931 <P>Hey,</P> <P>I have a rule, that report to me each time source stop sending logs to my splunk.</P> <P>I try to make an exception, that when a specific source from a specific host will stop sending logs, it wont trigger an alert.</P> <P>for example:</P> <P>i will get alerts from</P> <P><SPAN>host=* source=*</SPAN></P> <P>but not when its</P> <P>host=windows31 source=application</P> <P>&nbsp;</P> <UL> <LI>Is it possible to do that? because i try to work on it for a few days already.</LI> </UL> <P>&nbsp;</P> Wed, 23 Feb 2022 16:41:58 GMT https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586191#M15931 Tomers 2022-02-23T16:41:58Z https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586195#M15932 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243321">@Tomers</a>,</P><P>I could help you better if you could share your search, also because it isn't clear for me how your rule works.</P><P>Anyway, you could add the second condition to your search:</P><LI-CODE lang="markup">index=your_index NOT(host=windows31 source=application) | ...</LI-CODE><P>if you have many of these conditions, you could put them in a lookup (called e.g. exceptions.csv &nbsp;with two columns called host and source) and use the lookup to filter your results.</P><LI-CODE lang="markup">index=your_index NOT [ | inputlookup exceptions.csv | fields host source ] | ...</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Wed, 23 Feb 2022 11:23:10 GMT https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586195#M15932 gcusello 2022-02-23T11:23:10Z https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586199#M15933 <P>Thank you! It does work now</P><P>for some reason that is the only thing i didnt think of.</P><P>&nbsp;</P><P>FYI-</P><P>My search is(i only added the condition lines here)-</P><P class="lia-indent-padding-left-30px">|tstats latest(_time) as _time where index=* by sourcetype host</P><P class="lia-indent-padding-left-30px">|where _time&lt;relative_time(now(), "-1h")</P><P class="lia-indent-padding-left-30px">|fields sourcetype host _time</P> Wed, 23 Feb 2022 11:43:29 GMT https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586199#M15933 Tomers 2022-02-23T11:43:29Z https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586201#M15934 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243321">@Tomers</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 23 Feb 2022 11:47:36 GMT https://community.splunk.com/t5/Security/How-to-compare-two-values-on-same-row/m-p/586201#M15934 gcusello 2022-02-23T11:47:36Z