Splunk is case-senstive … except where it isn’t 🙂
By default search ANDs
But if you want to be explicit, you must all-caps AND – just like you must all-caps OR:
index=ndx sourcetype=srctp "someval" "someotherval"
Is the same as:
index=ndx AND sourcetype=srctp AND "someval" AND "someotherval"
Splunk views "and" as raw text to look for, whereas "AND" is an operator
So this should be what you’re looking for (though I generally agree with @RichG‘s answer wherein he says you should make the filter in the Alert, and only send if the results are greater than 0):
search NDMCopycount=1 DCOEtransfercount=* NOT (DCOEtransfercount IN(0,1))
from User warren – Stack Overflow https://stackoverflow.com/questions/76165667/how-to-trigger-an-custom-alert-condition-of-multiples-from-the-basic-search-of-s/76173057#76173057
via IFTTT