Hi All,

Hope you all are doing well.

I was trying to setup email alert and event creation using Splunk and it was working fine. But i got a new condition in the existing alert.

The condition is to avoid 2 alerts and event creation when there is a specific alert. In my case when there is ABC alert then i have to ignore XYZ and PQR.

Logic seems to be simple, when ABC comes avoid XYZ and PQR....

But i am unable to execute it on Splunk. I tried below query but i think it will yield a null when there are any other alerts apart from the ABC.

index="myindex" sourcetype="mysourcetype"  lab_hub_name="XYZ Hub" rag_status="0" ( lab_hub_tag="LKJ" OR
lab_hub_tag="ABC" OR
lab_hub_tag="PQR" OR
lab_hub_tag="XYZ" OR
lab_hub_tag="QWE" OR
lab_hub_tag="ERT" OR
lab_hub_tag="FGH") earliest=-7m latest=now
| stats latest(_time) as latest_tim, count by lab_hub_tag
| rename count as rag_count
| join type=left lab_hub_tag  [search index="myservicenow" sourcetype="snow:incident" short_description="Splunk Alert - XYZ*" state!="7" earliest=-1d latest=now
| rex field=short_description "Splunk Alert - XYZ - (?[\S ]+$)"
| stats latest(state) as state, count by lab_hub_tag short_description
| fields - count]
| eval one=if(lab_hub_tag="ABC" AND rag_count>0,"yes","Null")
| search one= yes
| fillnull state short_description
| eval temp_count=if(rag_count>0 AND state="6" OR state="0",1,0)
| eval correlation_id=latest_tim.lab_hub_tag
| where temp_count=1

Please let me know how i can achieve this one.

Thanks for your help.