Solved: Splunk Query to check two Conditions

prakashsbk · ‎10-09-2023

Hi All

We are trying to get the incidents which are in open state (ie AlertStatus only equal to CREATE) .

Table Out is below :

Here IncidentID 1414821 has both AlertStatus = CLEAR and CREATE , this Incident ID should not get displayed . We need IncidentID only with Alertstaus = CREATE.

we ran with

| eval IncidentID=case(AlertStatus="CREATE" AND AlertStatus!="CLEAR",IncidentID)
| table IncidentID AlertStatus

When we run an Query it should only Display IncidentID value 1437718

Thanks and Regards

gcusello · ‎10-09-2023

Hi @prakashsbk,

could you share your search?

you should use something like this:

<your_search>
| stats dc(AlertStatus) AS AlertStatus_count values(AlertStatus) AS AlertStatus BY IncidentID
| search AlertStatus_count<2 AND AlertStatus = "CREATE"
| table IncidentID AlertStatus

having your search I could be more detailed.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎10-09-2023

Hi @prakashsbk,

could you share your search?

you should use something like this:

<your_search>
| stats dc(AlertStatus) AS AlertStatus_count values(AlertStatus) AS AlertStatus BY IncidentID
| search AlertStatus_count<2 AND AlertStatus = "CREATE"
| table IncidentID AlertStatus

having your search I could be more detailed.

Ciao.

Giuseppe

prakashsbk · ‎10-10-2023

Thanks a lot for your quick help and support , Query is working as expected.

Splunk Query to check two Conditions

eval

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?

Splunk Query to check two Conditions

eval

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!