Hi
we have requirement to apply co-relation in Spectrum in order to avoid unwanted alerts . Scenario :- we are getting trap of AP disassociation from Splunk with switch information to Spectrum and these are converted into Alerts and alarm will be triggered in switch when AP connected switch will go down , Spectrum will throw the alarm " device has stopped responding to polls " and if there are 100 AP's connected to that switch we will get 100 traps from Splunk. So we want have procedure in place where spectrum checks if switch is down and Ap' alert are due to these , than they should be suppressed and generate new alert else it should work as normal. if switch is not down ap dissociated alert will be triggered which will be genuine. To achieve this I tried to convert device has stopped responding to polls alert to event and then applying event series rule to check if device has stopped responding to polls is followed by Splunk than generate new event but how to put conditions in this that if above is not true than device has stopped responding to alert should be normally generated