Archive
Highlighted

Can you help me trigger severity based on two violations and below criteria?

New Member
 sourcetype=xreGuide XRE-07*** IS_VISIBLE=true
 | bucket _time span=10m 
 | stats dc(receiverId) as receiverIds by _time 
 | eval psev=case(receiverIds<=499, "4", receiverIds<=9999, "2", receiverIds>10000, "1") 
 | eventstats count as VIOLATIONS by psev 
 | eval severity=if(VIOLATIONS>1 AND psev=3, 3, 4) 
 | eventstats min(severity) as overallSeverity 
 | fields _time receiverIds overallSeverity 
 | rename overallSeverity as severitye
0 Karma
Highlighted

Re: Can you help me trigger severity based on two violations and below criteria?

Splunk Employee
Splunk Employee

Hi @mnair001c,

Thanks for providing an example of the work you tried. However, can you provide more context for your question? You have a much better chance of getting your question answered if you would provide more information.

0 Karma
Highlighted

Re: Can you help me trigger severity based on two violations and below criteria?

New Member

I modified this query further
receiverId << this are unique identifier
What i am trying to do is only show result based on the violations > 1
Examples
If Violation > 1 and severity count is 4, 3, then the result should be sev-4
If Violation > 1 and severity count is 3, 3, then the result should be sev-3
If Violation > 1 and severity count is 2, 3, then the result should be sev-3
If Violation > 1 and severity count is 2, 2, then the result should be sev-2
If Violation > 1 and severity count is 2, 1, then the result should be sev-1
If Violation > 1 and severity count is 1, `, then the result should be sev-1

Below is hte modified query

sourcetype=Test Error Error IS_VISIBLE=true
| bucket _time span=10m
| stats dc(receiverId) as receiverIds by _time
| eval sev=case('receiverIds'>10000, "1", 'receiverIds'>2999 and 'receiverIds'<9999, "2", 'receiverIds'>500 and 'receiverIds'<=2999, "3", 'receiverIds'<499, "4")
| eventstats count as VIOLATIONS by sev
| fields _time receiverIds sev

0 Karma
Highlighted

Re: Can you help me trigger severity based on two violations and below criteria?

Esteemed Legend

I do not understand your Examples. The part that says is 4, 3, makes no sense to me.

0 Karma
Highlighted

Re: Can you help me trigger severity based on two violations and below criteria?

Contributor

I didn't understand that part either. But can you give an example o a critical criteria?

0 Karma
Highlighted

Re: Can you help me trigger severity based on two violations and below criteria?

SplunkTrust
SplunkTrust

Kinda hard to guess what you want to achieve based on failed SPL attempts.

Can you describe your scenario in natural language?

0 Karma