If I have a single alert search with multiple conditions that looks something like this:
index=X condition1 OR condition2 OR (condition3 AND subcondition1) OR condition4 OR condition5 OR (condition6 AND subcondition2)
Is there a way to display the actual conditional statement that was met without creating a separate alert for each condition?
In other words, does Splunk set some internal variable that holds the triggered condition (for example - "(condition3 AND subcondition1)") that is accessible to display in an email or notable event?
↧