Splunk Search

How to filter out few data showing up from my search string while setting a alert notification on triggering condition

Snehaan
Explorer

Hello team,

My search string is as below: 

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE 

 
 

splunk_1.PNG

 

And the result screenshot is above. The AR1, BE1 ect are source system codes and the numerical values for each source system in the rows are the aggregate trade counts for respective source system at the time span starting from 00:00:00 hours till 05:00:00 hours. However for source systems like BE2 and MA1 the count doesn't alter all through the day and is always 1.

Now when I want to custom trigger a notification alert using this search string when threshold value of trade counts for each individual source system is less than 10 at 08:00:00 then by default always BE2 and MA1 comes up in alert.  Hence if I only want to exclude these two source system and take rest into consideration while setting up my custom trigger notification. How to achieve this? 

Kindly help me with your valuable inputs.

Labels (2)
0 Karma
1 Solution

to4kawa
Ultra Champion

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount < 10

View solution in original post

to4kawa
Ultra Champion

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount < 10

Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...