Splunk Search

How to filter out few data showing up from my search string while setting a alert notification on triggering condition

Snehaan
Explorer

Hello team,

My search string is as below: 

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE 

 
 

splunk_1.PNG

 

And the result screenshot is above. The AR1, BE1 ect are source system codes and the numerical values for each source system in the rows are the aggregate trade counts for respective source system at the time span starting from 00:00:00 hours till 05:00:00 hours. However for source systems like BE2 and MA1 the count doesn't alter all through the day and is always 1.

Now when I want to custom trigger a notification alert using this search string when threshold value of trade counts for each individual source system is less than 10 at 08:00:00 then by default always BE2 and MA1 comes up in alert.  Hence if I only want to exclude these two source system and take rest into consideration while setting up my custom trigger notification. How to achieve this? 

Kindly help me with your valuable inputs.

Labels (2)
0 Karma
1 Solution

to4kawa
Ultra Champion

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount < 10

View solution in original post

to4kawa
Ultra Champion

index=qrp STAGE IN ("*_RAW", T_FEED_MESSAGES) | stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | search ODS_SRC_SYSTEM_CODE!="BE2" OR ODS_SRC_SYSTEM_CODE!="MA1" | where TradeCount < 10

Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...