Multiple stats count logic - Splunk Community

Splunk Search

I have an alert which tirggers on following:

index=xxx sourcetype=xxx_cdr_event host=**at** |search cause_code IN (500)| bucket span=30m _time |stats count by _time,host|where count>=20|sort -count

But it creates some noises based on calling and called parties.

For calling_party_address noise I have to use following:

index=xxx sourcetype=xxx_cdr_event host=**at**|search cause_code IN (500)|eval pmp =substr(icid_value,1,4)| bucket span=30m _time |stats count by _time,host,calling_party_address|where count>20|sort -count

For called_party_address noise I have to use following:

index=sbg sourcetype=xxx_cdr_event host=**at**|search cause_code IN (500)|eval pmp =substr(icid_value,1,4)| bucket span=30m _time |stats count by _time,host,called_party_address|where count>20|sort -count

How can I add the calling and called party logic in the original alert search to make is noiseless?

Thanks.

Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...