Splunk Search

How to replace whole row with null, based on if statement?

niks987
Explorer

Hi All,

Hope you all are doing well.

I was trying to setup email alert and event creation using Splunk and it was working fine. But i got a new condition in the existing alert.

The condition is to avoid 2 alerts and event creation when there is a specific alert. In my case when there is ABC alert then i have to ignore XYZ and PQR.

Logic seems to be simple, when ABC comes avoid XYZ and PQR....

But i am unable to execute it on Splunk. I tried below query but i think it will yield a null when there are any other alerts apart from the ABC.

index="myindex" sourcetype="mysourcetype"  lab_hub_name="XYZ Hub" rag_status="0" ( lab_hub_tag="LKJ" OR
lab_hub_tag="ABC" OR
lab_hub_tag="PQR" OR
lab_hub_tag="XYZ" OR
lab_hub_tag="QWE" OR
lab_hub_tag="ERT" OR
lab_hub_tag="FGH") earliest=-7m latest=now
| stats latest(_time) as latest_tim, count by lab_hub_tag
| rename count as rag_count
| join type=left lab_hub_tag  [search index="myservicenow" sourcetype="snow:incident" short_description="Splunk Alert - XYZ*" state!="7" earliest=-1d latest=now
| rex field=short_description "Splunk Alert - XYZ - (?[\S ]+$)"
| stats latest(state) as state, count by lab_hub_tag short_description
| fields - count]
| eval one=if(lab_hub_tag="ABC" AND rag_count>0,"yes","Null")
| search one= yes
| fillnull state short_description
| eval temp_count=if(rag_count>0 AND state="6" OR state="0",1,0)
| eval correlation_id=latest_tim.lab_hub_tag
| where temp_count=1

Please let me know how i can achieve this one.

Thanks for your help.

0 Karma

to4kawa
Ultra Champion

Alert Examples

Trigger condition: Custom
Trigger when :  search lab_hub_tag!="ABC"

how about this?

0 Karma

niks987
Explorer

Hi to4kawa,

M already using a trigger condition...
If | where temp_count=1 raise alerts. And i think we can't use multi trigger condition....

0 Karma

13tsavage
Communicator

I would try:

**
| eval one=case(lab_hub_tag=="ABC" AND rag_count>0, "null")
**

using case(X, Y) takes in the fields X and if that comes out to be true, returns Y.

0 Karma

niks987
Explorer

Hi 13tsavage,

Thanks for your reply.

Yes i can use it but it wont work for other alerts.
There are 10 alerts which i have merged in one search, whenever ABC alert comes i have to ignore to alerts and when other alerts comes apart from ABC i have to capture them. When m using case or if and then i'm trying to use search or where it is just taking for ABC, which it should.

So i was trying to find a different way to do it.

Please do let me know if you have one.

Thanks in advance 🙂

0 Karma

to4kawa
Ultra Champion
| eval one=if(lab_hub_tag="ABC" AND rag_count>0,"yes","Null")
| search one= yes

I don't think anything other than ABC will be displayed due to this result. What's wrong?
you don't use Code sample, so some code is disappear.

0 Karma

niks987
Explorer

Hi to4kawa,

Sorry i forgot to use code sample. Now i have updated it.

Yes only ABC will be displayed. I was asking is there any other way to do it?

Thanks for your help 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...