Multiple stats count logic - Splunk Community

Splunk Search

I have an alert which tirggers on following:

index=xxx sourcetype=xxx_cdr_event host=**at** |search cause_code IN (500)| bucket span=30m _time |stats count by _time,host|where count>=20|sort -count

But it creates some noises based on calling and called parties.

For calling_party_address noise I have to use following:

index=xxx sourcetype=xxx_cdr_event host=**at**|search cause_code IN (500)|eval pmp =substr(icid_value,1,4)| bucket span=30m _time |stats count by _time,host,calling_party_address|where count>20|sort -count

For called_party_address noise I have to use following:

index=sbg sourcetype=xxx_cdr_event host=**at**|search cause_code IN (500)|eval pmp =substr(icid_value,1,4)| bucket span=30m _time |stats count by _time,host,called_party_address|where count>20|sort -count

How can I add the calling and called party logic in the original alert search to make is noiseless?

Thanks.

Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...