Splunk Dev

Can you help me trigger severity based on two violations and below criteria?

mnair001c
New Member
 sourcetype=xreGuide XRE-07*** IS_VISIBLE=true
 | bucket _time span=10m 
 | stats dc(receiverId) as receiverIds by _time 
 | eval psev=case(receiverIds<=499, "4", receiverIds<=9999, "2", receiverIds>10000, "1") 
 | eventstats count as VIOLATIONS by psev 
 | eval severity=if(VIOLATIONS>1 AND psev=3, 3, 4) 
 | eventstats min(severity) as overallSeverity 
 | fields _time receiverIds overallSeverity 
 | rename overallSeverity as severitye
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Kinda hard to guess what you want to achieve based on failed SPL attempts.

Can you describe your scenario in natural language?

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @mnair001c,

Thanks for providing an example of the work you tried. However, can you provide more context for your question? You have a much better chance of getting your question answered if you would provide more information.

0 Karma

mnair001c
New Member

I modified this query further
receiverId << this are unique identifier
What i am trying to do is only show result based on the violations > 1
Examples
If Violation > 1 and severity count is 4, 3, then the result should be sev-4
If Violation > 1 and severity count is 3, 3, then the result should be sev-3
If Violation > 1 and severity count is 2, 3, then the result should be sev-3
If Violation > 1 and severity count is 2, 2, then the result should be sev-2
If Violation > 1 and severity count is 2, 1, then the result should be sev-1
If Violation > 1 and severity count is 1, `, then the result should be sev-1

Below is hte modified query

sourcetype=Test Error Error IS_VISIBLE=true
| bucket _time span=10m
| stats dc(receiverId) as receiverIds by _time
| eval sev=case('receiverIds'>10000, "1", 'receiverIds'>2999 and 'receiverIds'<9999, "2", 'receiverIds'>500 and 'receiverIds'<=2999, "3", 'receiverIds'<499, "4")
| eventstats count as VIOLATIONS by sev
| fields _time receiverIds sev

0 Karma

woodcock
Esteemed Legend

I do not understand your Examples. The part that says is 4, 3, makes no sense to me.

0 Karma

felipesewaybric
Contributor

I didn't understand that part either. But can you give an example o a critical criteria?

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...