hello ,
i am new to splunk and i have a bit of a problem with using the results from the query,<condition match=" 'results.res' >0"> doesn't work so as the $job.resultCount$
if i try to use 'job.resultCount' or $job.resultCount$ it works but that not what i need
query :
<search id="parsing_queue">index=_internal source = "udp:514" sourcetype = "syslog" alert | stats count as res -24h@h now $job.resultCount$ no val
↧
