I want to create an alert that will fire if Splunk see's a log message from two seperate sources in a 10 minute interval. For example one event from Source1 and one event from Source2. The problem i'm running into is that Source2 may send more than one event in a ten minute interval, but I only want the alert to fire if it see's at least one message from source1 and source2 in ten minutes. Anyone have any ideas?
How about using dedup
? In your search:
... | dedup source
and then create the >=2 events alert condition as usual.
How about using dedup
? In your search:
... | dedup source
and then create the >=2 events alert condition as usual.