- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We operate by using scheduled searches to periodically search through logs collected by Splunk, and trigger actions when log entries matching certain conditions are found.
You can create a list of actions triggered recently (for example, within the past week) by searching for alert_fired="alert_fired" in the _audit index.
At this time, is it possible to join the log entries that matched in each search execution to the list? (I want to know the result of "| loadjob <sid>" for each search.)
The expected output is a table with the search execution time (_time), the search name (ss_name), and the log entries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @takuyaikeda ,
please try this:
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='
| history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='
| metadata type=*
| search totalCount>0"
| stats count by user search _time
| sort _time
| convert ctime(_time)
| stats list(_time) as time list(search) as search by userCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @takuyaikeda ,
please try this:
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='
| history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='
| metadata type=*
| search totalCount>0"
| stats count by user search _time
| sort _time
| convert ctime(_time)
| stats list(_time) as time list(search) as search by userCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for providing valuable information.
While we were able to gather information related to the schedule search execution results using the query you provided, we were unable to obtain the logs detected by the search execution.
However, using the query you provided as a reference, we were able to achieve our desired outcome via the server's CLI, so I would like to report that the issue has been resolved.
The commands we are executing on the server are as follows:
curl -sS -k -u '<ID:PW>' https://localhost:8089/services/search/jobs/export -d search='search index=_audit "user=splunk-system-user" "info=completed" NOT "result_count=0" NOT "savedsearch_name=\"\"" earliest=-2h | stats count by timestamp savedsearch_name search_id' -d output_mode=csv | while read line ; do echo "${line}" | cut -d ',' -f 1 ; echo "${line}" | cut -d ',' -f 2 ; sid=`echo ${line} | cut -d ',' -f 3 | sed "s/'//g"` ; curl -sS -k -u '<ID:PW>' https://localhost:8089/services/search/jobs/export -d search="|loadjob ${sid}" | grep "<field k='_raw'>" | sed -e 's/<\/*field[^>]*>//g' -e 's/<\/*v[^>]*>//g' ; done(I understand that this is not the optimal solution, but at least I was able to obtain the necessary information with this one-liner.)
Giuseppe, grazie mille
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @takuyaikeda ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
