https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-few-data-showing-up-from-my-search-string/m-p/531868#M150241 <P>Hello team,</P><P>My search string is as below:&nbsp;</P><P>index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="splunk_1.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12173i2F1FA140F03EE20C/image-size/medium?v=v2&amp;px=400" role="button" title="splunk_1.PNG" alt="splunk_1.PNG" /></span></P><P>&nbsp;</P><P><SPAN>And the result screenshot is above. The AR1, BE1 ect are source system codes and the numerical values for each source system in the rows are the aggregate trade counts for respective source system at the time span starting from 00:00:00 hours till 05:00:00 hours. However for source systems like BE2 and MA1 the count doesn't&nbsp;alter all through the day and is always 1. </SPAN></P><P><SPAN>Now when I want to custom trigger a notification alert using this search string when threshold value of trade counts for each individual source system is less than 10 at 08:00:00 then by default always&nbsp;BE2 and MA1 comes up in alert.&nbsp;&nbsp;</SPAN><SPAN>Hence if I only want to exclude these two source system and take rest&nbsp;into consideration while setting up my custom trigger notification. How to achieve this?&nbsp;</SPAN></P><P><SPAN>Kindly help me with your valuable inputs.</SPAN></P> Thu, 03 Dec 2020 14:01:49 GMT Snehaan 2020-12-03T14:01:49Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-few-data-showing-up-from-my-search-string/m-p/531868#M150241 <P>Hello team,</P><P>My search string is as below:&nbsp;</P><P>index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="splunk_1.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12173i2F1FA140F03EE20C/image-size/medium?v=v2&amp;px=400" role="button" title="splunk_1.PNG" alt="splunk_1.PNG" /></span></P><P>&nbsp;</P><P><SPAN>And the result screenshot is above. The AR1, BE1 ect are source system codes and the numerical values for each source system in the rows are the aggregate trade counts for respective source system at the time span starting from 00:00:00 hours till 05:00:00 hours. However for source systems like BE2 and MA1 the count doesn't&nbsp;alter all through the day and is always 1. </SPAN></P><P><SPAN>Now when I want to custom trigger a notification alert using this search string when threshold value of trade counts for each individual source system is less than 10 at 08:00:00 then by default always&nbsp;BE2 and MA1 comes up in alert.&nbsp;&nbsp;</SPAN><SPAN>Hence if I only want to exclude these two source system and take rest&nbsp;into consideration while setting up my custom trigger notification. How to achieve this?&nbsp;</SPAN></P><P><SPAN>Kindly help me with your valuable inputs.</SPAN></P> Thu, 03 Dec 2020 14:01:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-few-data-showing-up-from-my-search-string/m-p/531868#M150241 Snehaan 2020-12-03T14:01:49Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-few-data-showing-up-from-my-search-string/m-p/532101#M150316 <P><SPAN>index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount &lt; 10</SPAN></P> Sat, 05 Dec 2020 07:17:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-few-data-showing-up-from-my-search-string/m-p/532101#M150316 to4kawa 2020-12-05T07:17:39Z