Alerting

How to save results to index with alert action?

simon_b
Path Finder

Hi, is there an alert action to save the results of the search directly to a specified, existing index?

I already tried the "Log event" alert action, but in the "Event" field that has to be specified, I did not know how to access the results of my search.

 

Thanks for your help!

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

Hello Simon,

Thank you for providing additional context about your requirement. To make sure that you use the throttling part by saving the search as an alert, you can output the results of the search to a lookup using the alert action for sending data to a lookup and choosing the append or override results as per your convenience and then create another alert to use the data in the lookup and send it to an index using collect command as there is no alert action to send the data to an index by default in Splunk. 

shivanshu1593_0-1675271612583.png


++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

There is a much easier solution for your requirement. You can use the collect command to route the data of your search to your desired index. You can even specify a sourcetype of your choice, but that will result into the data being counted against your license. By default, collect command uses sourcetype as stash. Please consider that while doing this.

 

your search
| collect index=<your_index>

 

More about the command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect

+++ Please consider accepting as an answer if this helps +++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

simon_b
Path Finder

@shivanshu1593 Thanks for your answer.

The thing is that I don't want to do the data collection in my search as it would cause the "Throttle" option not to work.

0 Karma

shivanshu1593
Builder

Hello Simon,

Thank you for providing additional context about your requirement. To make sure that you use the throttling part by saving the search as an alert, you can output the results of the search to a lookup using the alert action for sending data to a lookup and choosing the append or override results as per your convenience and then create another alert to use the data in the lookup and send it to an index using collect command as there is no alert action to send the data to an index by default in Splunk. 

shivanshu1593_0-1675271612583.png


++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

simon_b
Path Finder

Hi Shiv,

thanks again for the answer.

I actually was aware of that solution, but don't find it very elegant or efficient. Facing that there is no better solution, I think I'll do it like you explained.

0 Karma

shivanshu1593
Builder

Hello Simon,

Since Splunk doesn't offer an alert action for exporting results to an index, unfortunately this is the only way via UI. You can always file this as an enhancement request for future versions of Splunk.

Best wishes,

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...