topic Add another condition Help in Splunk Search

Add another condition Help

dave0970 — Tue, 29 Sep 2020 20:31:48 GMT

Hello, please help create a search add another condition to fire this alert if there are no results

Here is the splunk output if there is no result

localhost.localdomain: timed out, nothing received

***Request timed out

index=timevariance | multikv | where isint(when) | rex field=remote "(?*\w*)" | eval abs_offset=abs(offset) | search abs_offset>=100000 | append [ search index=_* ERROR sourcetype=splunkd component=ExecProcessor NOT admon message="ntp" | stats count values(message) as _raw by host ] | eval alert_contact=case(host LIKE "irprinfspl%", "Security", host LIKE "deprinfspl%", "Security", host LIKE "%", "SysEng") | eval alert_description="Time Out of Sync. Use NOC portal to sync up time & restart ntp service. Any other issues contact alert_contact." | table _time, host, alert_contact, alert_description, _raw | search host!=splnod host!="pvtemplate"

Re: Add another condition Help

renjith_nair — Fri, 20 Jul 2018 13:09:19 GMT

@dave0970,

Are you looking for something similar?

index=timevariance | multikv | where isint(when) | rex field=remote "(?*\w)" | eval abs_offset=abs(offset) | search abs_offset>=100000 | append [ search index=_* ERROR sourcetype=splunkd component=ExecProcessor NOT admon message="ntp" | stats count values(message) as _raw by host ] | eval alert_contact=case(host LIKE "irprinfspl%", "Security", host LIKE "deprinfspl%", "Security", host LIKE "%", "SysEng") | eval alert_description="Time Out of Sync. Use NOC portal to sync up time & restart ntp service. Any other issues contact alert_contact." | table _time, host, alert_contact, alert_description, _raw | search (host!=splnod  AND 
 host!="pvtemplate") OR ("nothing received")

Re: Add another condition Help

dave0970 — Fri, 20 Jul 2018 13:29:48 GMT

Hi Renjith,

Thank you! I will test it out. Thanks