topic Re: Save search results to index in Splunk Search

Is there a command that I can add to the search query in order to pass the results to the index?

splunknoob2 — Tue, 28 Jun 2022 17:21:53 GMT

Hello,

I have a question regarding the indexing of search results. So, I have an alert that's currently active performing and search and passing the results to a particular event through log events, I would like to modify this job to run in a specific past time window, however I can't edit the job so I would like to be able to run the same search through the splunk search bar and pass the results to the index. I can run the search and get the results through the search but can't output it to the index.

Is there a command that I can add to the search query in order to pass the results to the index?

Thanks in advance.

Re: Save search results to index

gcusello — Tue, 28 Jun 2022 13:57:52 GMT

Hi @splunknoob2,

you could clone your alert in a new one that usually is disabled, instead the original one continue to work.

When you need to run it, you could modify the time frame or other parameters of the modified alert and run once.

In this way, you should continue to have all the actions of the original alert and a new one that you can modify without any change in the original one.

Only for my information, are you speaking of a Correlatin Search in ES or in an alert in another App?

Ciao.

Giuseppe

Re: Save search results to index

splunknoob2 — Thu, 30 Jun 2022 10:58:43 GMT

Thank for your answer. However I cannot clone the job because there are several search heads in the environment and if I do it the job will only appear on the SH I am into (which usually isnt the "captain"). Is there a command to do it in the search bar something like "|logactions" that would take a expression like "action.logevent.param.event = _time=$result._time$" as a parameter? I tried collect however it does not work exactly as the log event action.

Re: Save search results to index

gcusello — Thu, 30 Jun 2022 11:49:16 GMT

Hi @splunknoob2,

if you're using a Search Head Cluster, cloning a knowledhe obkect (like a Correlation Search) in one SH, the operation is replicated on the others.

The same operation is done if you modify some setting in a Correlation Search, but it's a best practice not modify a default Correlation Search, it's always better to clone it and modify the cloned one.

If instead you haven't a Cluster, you have to do the same things manually

Ciao.

Giuseppe