https://community.splunk.com/t5/Splunk-Dev/Run-a-search-based-on-alert-result/m-p/400490#M6897 <P>First possibility - look at @woodcock's answer to this question of how do you prevent a search from running during blackout periods. </P> <P><A href="https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-which-it-should-not-generate-alerts.html">https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-which-it-should-not-generate-alerts.html</A></P> <P>You could apply a version of that solution.</P> <P>Second possibility - you could use your first search to determine and return the <CODE>earliest=</CODE> and <CODE>latest=</CODE> times for your search that collects the data... and then set teh same arbitrary future date/time as both <CODE>earliest</CODE> and <CODE>latest</CODE> if your search determines there is no data. </P> Tue, 14 Aug 2018 01:25:27 GMT DalJeanis 2018-08-14T01:25:27Z https://community.splunk.com/t5/Splunk-Dev/Run-a-search-based-on-alert-result/m-p/400489#M6896 <P>Hi,<BR /> i would like to run a search (to collect data in a summary index) triggered by an alert, which is checking for new data. e.g. if the start of a new dataset comes in, i would like to enrich, manipulate and collect the last dataset into a summary index.</P> <P>if the collect search only runs on a time schedule, i may get inconsistencies in between the collected dataset due to cutting in between. <BR /> i'm looking for something like a custom alert action to trigger another saved search.</P> <P>Thanks in advance.</P> Mon, 13 Aug 2018 12:24:01 GMT https://community.splunk.com/t5/Splunk-Dev/Run-a-search-based-on-alert-result/m-p/400489#M6896 maada 2018-08-13T12:24:01Z https://community.splunk.com/t5/Splunk-Dev/Run-a-search-based-on-alert-result/m-p/400490#M6897 <P>First possibility - look at @woodcock's answer to this question of how do you prevent a search from running during blackout periods. </P> <P><A href="https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-which-it-should-not-generate-alerts.html">https://answers.splunk.com/answers/24824/can-i-set-a-blackout-period-for-a-scheduled-search-during-which-it-should-not-generate-alerts.html</A></P> <P>You could apply a version of that solution.</P> <P>Second possibility - you could use your first search to determine and return the <CODE>earliest=</CODE> and <CODE>latest=</CODE> times for your search that collects the data... and then set teh same arbitrary future date/time as both <CODE>earliest</CODE> and <CODE>latest</CODE> if your search determines there is no data. </P> Tue, 14 Aug 2018 01:25:27 GMT https://community.splunk.com/t5/Splunk-Dev/Run-a-search-based-on-alert-result/m-p/400490#M6897 DalJeanis 2018-08-14T01:25:27Z