Splunk Search

how to deal with the 2 conflict conditions on where

jenniferhao
Explorer

I have a query to send an alert, which have 2 conflict conditions:

|where alarm=1 
generate some sum information only for alarm happens

|where alarm=0

do something for cleaning the alarm

|table *
But I only can do one of them, If I put where alarm=1 first, then I only can generate the alarm, otherwise, only can do clean alarm.

If I put where alarm=1 OR alarm=0, it cannot generate some sum information for the alarm data. For example |eventstats list(x) etc.

Any suggestion? Thanks in advance.

 

 

Labels (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Please provide some sample events for better understanding your scenario.

In general, you should be able to do conditional stats

e.g

stats count(eval((field1 != field2)
Happy Splunking!
0 Karma

jenniferhao
Explorer

Thanks. 

The problem becomes how can get a list values with the condition?  for example, I need to get some values lists where alarm=1, but I also need to deal with alarm=0

| where alarm=1 OR alarm=0

|eventstats list(create_session) as create_session list(Dn) as Dns by _time  //ONLY alarm==1
|evenststa list (IPs) as IPs by _time   //ONLY alarm==0

|table IPs create_session DNs

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...