Hi there -
Currently we don't support multiple fields in separate the same condition (e.g. you can do A>0 and A<10 but not A>0 and B>0).
The work around is to create a new single column that represents the underlying logic of the column combination e.g.
From original
index=XXXX sourcetype="XXX"
| where Field in("A")
| stats count avg(time) as A
| where A>2 and count>3 --condition1
| where Field in("B")
|stats count avg(time) as B
| where B>5 and count>10 --condition2
Change base search to something along the lines of:
index=XXXX sourcetype="XXX"
| eval a_or_b=case(Field in("A"), "A", Field in("B"), "B")
| stats count() as myCount, avg(time) as avg_time by a_or_b
| eval alert_a=case(a_or_b="A" AND avg_time>2 AND count>3, 1)
| eval alert_b=case(a_or_b="B" AND avg_time>5 AND count>10, 1)
In the UI....
Condition 1: alert_a = 1 --> actions
Condition 2: alert_b = 1--> actions
Also please feel free to email scs-alerts@splunk.com if you run into any additional trouble!
... View more