I have a query to send an alert, which have 2 conflict conditions:
|where alarm=1
generate some sum information only for alarm happens
|where alarm=0
do something for cleaning the alarm
|table *
But I only can do one of them, If I put where alarm=1 first, then I only can generate the alarm, otherwise, only can do clean alarm.
If I put where alarm=1 OR alarm=0, it cannot generate some sum information for the alarm data. For example |eventstats list(x) etc.
Any suggestion? Thanks in advance.
Please provide some sample events for better understanding your scenario.
In general, you should be able to do conditional stats
e.g
stats count(eval((field1 != field2)
Thanks.
The problem becomes how can get a list values with the condition? for example, I need to get some values lists where alarm=1, but I also need to deal with alarm=0
| where alarm=1 OR alarm=0
|eventstats list(create_session) as create_session list(Dn) as Dns by _time //ONLY alarm==1
|evenststa list (IPs) as IPs by _time //ONLY alarm==0
|table IPs create_session DNs