Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I write a single search for populating summary index and creating alerts?

macadminrohit
Contributor
‎07-31-2018 05:05 PM

Hi,

Wanted to know if we can have a single search to populate the summary index and also to create an alert based on the search results.

We have a search for windows event logs for servers to see if some event has occurred. 

index=main | stats count  by host|  eval health=if(count > 1," RED", "GREEN")

We want to write both GREEN and RED events to the summary table but want to alert only for RED ones, is it possible to do this with just one search or shall we create two different searches?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-31-2018 06:24 PM

hello there,

the answer is yes, however, before you proceed, consider the following search as it will be super fast and can be ran on very long periods of time without need to summarize:

| tstats count where index=main by host 
| eval health=if(count > 1," RED", "GREEN")

run a search with the collect command to collect data to summary index, see example below with testmode=true

   index=main 
    | stats count by host 
    | eval health=if(count > 1," RED", "GREEN") 
    | collect index=summary testmode=true

screenshot:
alt text

save as alert and add condition, screenshot:

alt text

configure to run every X interval and it will populate your summary index and alert if condition met

View solution in original post

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-31-2018 06:24 PM

hello there,

the answer is yes, however, before you proceed, consider the following search as it will be super fast and can be ran on very long periods of time without need to summarize:

| tstats count where index=main by host 
| eval health=if(count > 1," RED", "GREEN")

run a search with the collect command to collect data to summary index, see example below with testmode=true

   index=main 
    | stats count by host 
    | eval health=if(count > 1," RED", "GREEN") 
    | collect index=summary testmode=true

screenshot:
alt text

save as alert and add condition, screenshot:

alt text

configure to run every X interval and it will populate your summary index and alert if condition met

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...