Solved: OR function

Lennard · ‎12-13-2023

Hi guys,

I started today with Splunk and have one question.

I want to use an or function that if the second "or" the third row is active I got the trigger.

Any ideas how to do it?

| eval last_backup_t =strptime(last_backup, "%Y-%m-%d %H:%M:%S.%N%z")

| where last_backup_t < relative_time(now(), "-2d@d")

| search is_offline= true

Thanks

ITWhisperer · ‎12-13-2023

OR is usually placed between predicates in a logical evaluation, e.g. as part of a where command.

Splunk works on a pipeline of events and you can't compare between events (without bringing them together in a correlated event).

Alerts can be triggered based on expressions, for example, number of events left in the pipeline, so perhaps you need to fashion a search which returns the events you are interested in and trigger on the presence of these events?

View solution in original post

ITWhisperer · ‎12-13-2023

OR is usually placed between predicates in a logical evaluation, e.g. as part of a where command.

Splunk works on a pipeline of events and you can't compare between events (without bringing them together in a correlated event).

Alerts can be triggered based on expressions, for example, number of events left in the pipeline, so perhaps you need to fashion a search which returns the events you are interested in and trigger on the presence of these events?

Lennard · ‎12-13-2023

Thanks, I just tried:

| where last_backup_t < relative_time(now(), "-1d@d-4h") or is_offline="true"

So i didn´t need the "search", sometimes the resolution is easier than you think... 😄

OR function

eval

other

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake