Splunk Search

how to deal with the 2 conflict conditions on where

jenniferhao
Explorer

I have a query to send an alert, which have 2 conflict conditions:

|where alarm=1 
generate some sum information only for alarm happens

|where alarm=0

do something for cleaning the alarm

|table *
But I only can do one of them, If I put where alarm=1 first, then I only can generate the alarm, otherwise, only can do clean alarm.

If I put where alarm=1 OR alarm=0, it cannot generate some sum information for the alarm data. For example |eventstats list(x) etc.

Any suggestion? Thanks in advance.

 

 

Labels (1)
0 Karma

renjith_nair
Legend

Please provide some sample events for better understanding your scenario.

In general, you should be able to do conditional stats

e.g

stats count(eval((field1 != field2)
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma

jenniferhao
Explorer

Thanks. 

The problem becomes how can get a list values with the condition?  for example, I need to get some values lists where alarm=1, but I also need to deal with alarm=0

| where alarm=1 OR alarm=0

|eventstats list(create_session) as create_session list(Dn) as Dns by _time  //ONLY alarm==1
|evenststa list (IPs) as IPs by _time   //ONLY alarm==0

|table IPs create_session DNs

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...