I have to create an alert with 2 conditions
Condition 1: If computer Id is not present, then it should trigger an alert.
Condition 2: It should check only for selected computer Id(s).
For Example:
I want to search only for Computer Id(s) 1001, 1003, 1007, 1008.......etc. So, what I did is. I created a CSV lookup file and appended lookup(In the query) and created an alert with "Trigger Condition as "Number of results < 1".
**TRIED WITH QUERY**
index = abc Computerdata
| rex field=_raw "(?ms)^(?:[^\\\\\\n]*\\\\){10}\":(?P\\d+)"
| lookup compIDlookup.csv computerId OUTPUT computerId
NOTE: Computer Id is not a field. So, I extracted with rex and then I am applying lookup to the extracted field(computer Id)
OUTPUT(what I'm getting) :
Even if one computer Id data is present, It's not checking other computer Id(s) as per the given condition.
EXPECTED OUTPUT:
All I want is It should take each ID from the lookup and check, If computer Id data is not present, It should trigger an alert for each particular ID
Can anyone suggest a solution?
Thanks in Advance!!!
... View more