Solved: How to filter out few data showing up from my sear...

Snehaan · ‎12-03-2020

Hello team,

My search string is as below:

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE

And the result screenshot is above. The AR1, BE1 ect are source system codes and the numerical values for each source system in the rows are the aggregate trade counts for respective source system at the time span starting from 00:00:00 hours till 05:00:00 hours. However for source systems like BE2 and MA1 the count doesn't alter all through the day and is always 1.

Now when I want to custom trigger a notification alert using this search string when threshold value of trade counts for each individual source system is less than 10 at 08:00:00 then by default always BE2 and MA1 comes up in alert. Hence if I only want to exclude these two source system and take rest into consideration while setting up my custom trigger notification. How to achieve this?

Kindly help me with your valuable inputs.

to4kawa · ‎12-04-2020

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount < 10

View solution in original post

to4kawa · ‎12-04-2020

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount < 10

How to filter out few data showing up from my search string while setting a alert notification on triggering condition

eval

stats

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!