Alerting

How do I exclude multiple specific source-alerts from search results?

HenryFitzerald
New Member

I have four alerts and wanted to exclude these specific FOUR(ALERT1,ALERT2,ALERT3,ALERT4) from the alert trigger search.

I was expecting this query to work using NOT, but it does not work and ALERT1 & 2 currently appears. Could anyone please assist?

<query>index=universal_alerts_   
         NOT  ( source =ALERT1               AND
                      source =ALERT2              AND         
                      source =ALERT3              AND
                      source =ALERT4              AND
                     )
        | timechart count by source
</query>

This query seems a valid alternative?? But, I am not sure why ????

<query>  
             index=universal_alerts_   
                    ( source! =ALERT1              AND
                      source! =ALERT2              AND         
                      source! =ALERT3              AND
                      source! =ALERT4              AND
                     )
                 |  timechart count by source
</query>  
0 Karma
1 Solution

woodcock
Esteemed Legend

You are using AND and should be using OR like this:

index=universal_alerts_ AND NOT (source ="ALERT1" OR source ="ALERT2" OR source ="ALERT3" OR source ="ALERT4)
| timechart count by source

View solution in original post

0 Karma

woodcock
Esteemed Legend

You are using AND and should be using OR like this:

index=universal_alerts_ AND NOT (source ="ALERT1" OR source ="ALERT2" OR source ="ALERT3" OR source ="ALERT4)
| timechart count by source
0 Karma

HenryFitzerald
New Member

Thanks it should include an OR .

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@HenryFitzerald ,

You can try this also.

 <query>
    index=universal_alerts_ 
    NOT (source="ALERT1" OR source="ALERT2" OR source="ALERT3" OR source="ALERT4") 
| timechart count by source
 <query>

Thanks

0 Karma

Vijeta
Influencer

Try this

<query>  
              index=universal_alerts_   
                   NOT  source IN("ALERT1", "ALERT2","ALERT3","ALERT4")

                  |  timechart count by source
 </query>  
0 Karma

vishaltaneja070
Motivator

Hello @HenryFitzerald ,

try something like this:
index=universal_alerts_ NOT
[| makeresults | eval source= "ALERT1;ALERT2;ALERT3;ALERT4;" | eval source=split(source,";") | mvexpand source | fields - _time] | timechart count by source

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...