https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44529#M554 <P>Is it possible (and how) to trigger a report to be run based on an event? I have a batch processor that logs to splunk. there are 2 types of events - 1 is job metadata, and the other is job run specifics:</P> <PRE><CODE>JOB METADATA action=start name=MyJob runId=foobar JOB DETAIL id=1 action=update result=pass JOB DETAIL id=2 action=update result=fail JOB DETAIL id=3 action=delete result=pass JOB DETAIL id=4 action=insert result=fail JOB METADATA action=end name=MyJob duration=6300 runId=foobar </CODE></PRE> <P>given these events, I could create a saved search called FailedModifications that gives all the details where result!=pass. But I would only like to run this report for runId=foobar (runId actually uses a date/time stamp), and only run it once the job completes. Something along the lines of using this search: <CODE>eventtype=AJobAction action=end</CODE> as a trigger for my "FailedModifications" saved search to run with an extra "runId" parameter. The FailedModifications search is configured as an alert that emails results (this is a requirement of what I'm trying to configure here).</P> <P>Currently, I'm scheduling the FailedModifications report to run on a cron schedule, with a window matching the schedule intervals, but this is not an ideal configuration. Possible with splunk? if so, how?</P> Fri, 23 Aug 2013 11:35:49 GMT brettcave 2013-08-23T11:35:49Z https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44529#M554 <P>Is it possible (and how) to trigger a report to be run based on an event? I have a batch processor that logs to splunk. there are 2 types of events - 1 is job metadata, and the other is job run specifics:</P> <PRE><CODE>JOB METADATA action=start name=MyJob runId=foobar JOB DETAIL id=1 action=update result=pass JOB DETAIL id=2 action=update result=fail JOB DETAIL id=3 action=delete result=pass JOB DETAIL id=4 action=insert result=fail JOB METADATA action=end name=MyJob duration=6300 runId=foobar </CODE></PRE> <P>given these events, I could create a saved search called FailedModifications that gives all the details where result!=pass. But I would only like to run this report for runId=foobar (runId actually uses a date/time stamp), and only run it once the job completes. Something along the lines of using this search: <CODE>eventtype=AJobAction action=end</CODE> as a trigger for my "FailedModifications" saved search to run with an extra "runId" parameter. The FailedModifications search is configured as an alert that emails results (this is a requirement of what I'm trying to configure here).</P> <P>Currently, I'm scheduling the FailedModifications report to run on a cron schedule, with a window matching the schedule intervals, but this is not an ideal configuration. Possible with splunk? if so, how?</P> Fri, 23 Aug 2013 11:35:49 GMT https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44529#M554 brettcave 2013-08-23T11:35:49Z https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44530#M555 <P>The main search looks like a transaction starting with action=start and finishing with action=end. I hope that you do not have multiple jobs in parallel, otherwise you need a field to join them, maybe the source...</P> <P>If you are using a scheduled search, you can have your report calculated every time, but only sent if a condition is met. (presence of action=end and of result=fail)</P> <P>it can be done by a simple <CODE>| WHERE action=end AND of result=fail</CODE> condition at the very end of the search, and an alert based on "if number of results &gt; 0".</P> Fri, 23 Aug 2013 14:52:24 GMT https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44530#M555 yannK 2013-08-23T14:52:24Z https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44531#M556 <P>cool, thanks yannK. Will give it a try and post back.</P> Mon, 26 Aug 2013 13:50:03 GMT https://community.splunk.com/t5/Alerting/Trigger-a-report-based-on-an-event/m-p/44531#M556 brettcave 2013-08-26T13:50:03Z