I have a use case where I want to setup Splunk Alerts for certain Exception events. I have already defined standard Error messages for these individual Exceptions. Below is a sample use case: Exception Event 1: Exception Event 2: Standard Error Message 1 Common Message Common Message In the above use case, when Exception Event 1 happens, it outputs 2 messages to the Log (Standard Error Message 1 and Common Message). When Exception Event 2 happens, it only outputs the Common Message to the log. For defining Splunk Alert for the Event 1, I want to ensure that I am checking the 2 counts of search results matching both the Message 1 and Common Message to ensure that both these searches return the same results count for a given time period. Is it possible to achieve this type of Splunk query using eval and If statement? My objective is to ensure that I am able to accurately identify scenario for the Exception Event 1 occurring where both the messages would be output to the logs in the same count.
... View more