Re: complex stats to trigger on count of events

dm2 · ‎02-28-2024

I have this rule, I need it to trigger when results / count of events is greater than 4 but the "Trigger Condition" did not work.
Is there something I can add to the query ?

dm2 · ‎02-28-2024

I saying that the rule needs to trigger when events > 4, and the 'Trigger Condition' did not work.

This is the rule that triggered (triggered on one event):

inventsekar · ‎02-28-2024

ok something is not clear.

the trigger condition is results count greater than 4, then trigger/run the trigger conditions.

1) do you say that when the results are greater than 4, but still the trigger did not work.

2) on your latest reply, you got only one result, but the trigger condition ran successfully ya?

Can you pls attach the trigger conditions screenshot pls.

gcusello · ‎02-28-2024

Hi @dm2,

please, share your search in text mode, otherwise it's more difficoult to help you.

You can insert the text using the "Insert/Edit code sample" button.

Ciao.

Giuseppe

dm2 · ‎02-28-2024

| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block Reason") as "Block Reason", values(Blocked) as Blocked by "File Name"

inventsekar · ‎02-28-2024

Hi @dm2 .. the SPL looks good and working fine also(as per the image).

the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered.

are you saying that, when the result is greater than 4 also the trigger condition not triggering?

complex stats to trigger on count of events

stats

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!