Multiple stats count logic - Splunk Community

Splunk Search

I have an alert which tirggers on following:

index=xxx sourcetype=xxx_cdr_event host=**at** |search cause_code IN (500)| bucket span=30m _time |stats count by _time,host|where count>=20|sort -count

But it creates some noises based on calling and called parties.

For calling_party_address noise I have to use following:

index=xxx sourcetype=xxx_cdr_event host=**at**|search cause_code IN (500)|eval pmp =substr(icid_value,1,4)| bucket span=30m _time |stats count by _time,host,calling_party_address|where count>20|sort -count

For called_party_address noise I have to use following:

index=sbg sourcetype=xxx_cdr_event host=**at**|search cause_code IN (500)|eval pmp =substr(icid_value,1,4)| bucket span=30m _time |stats count by _time,host,called_party_address|where count>20|sort -count

How can I add the calling and called party logic in the original alert search to make is noiseless?

Thanks.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with another ...