- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I started today with Splunk and have one question.
I want to use an or function that if the second "or" the third row is active I got the trigger.
Any ideas how to do it?
| eval last_backup_t =strptime(last_backup, "%Y-%m-%d %H:%M:%S.%N%z")
| where last_backup_t < relative_time(now(), "-2d@d")
| search is_offline= true
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
OR is usually placed between predicates in a logical evaluation, e.g. as part of a where command.
Splunk works on a pipeline of events and you can't compare between events (without bringing them together in a correlated event).
Alerts can be triggered based on expressions, for example, number of events left in the pipeline, so perhaps you need to fashion a search which returns the events you are interested in and trigger on the presence of these events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
OR is usually placed between predicates in a logical evaluation, e.g. as part of a where command.
Splunk works on a pipeline of events and you can't compare between events (without bringing them together in a correlated event).
Alerts can be triggered based on expressions, for example, number of events left in the pipeline, so perhaps you need to fashion a search which returns the events you are interested in and trigger on the presence of these events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I just tried:
| where last_backup_t < relative_time(now(), "-1d@d-4h") or is_offline="true"
So i didn´t need the "search", sometimes the resolution is easier than you think... 😄
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""