Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to save results to index with alert action?

simon_b
Path Finder
‎01-31-2023 06:37 AM

Hi, is there an alert action to save the results of the search directly to a specified, existing index?

I already tried the "Log event" alert action, but in the "Event" field that has to be specified, I did not know how to access the results of my search.

 

Thanks for your help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎02-01-2023 09:14 AM

Hello Simon,

Thank you for providing additional context about your requirement. To make sure that you use the throttling part by saving the search as an alert, you can output the results of the search to a lookup using the alert action for sending data to a lookup and choosing the append or override results as per your convenience and then create another alert to use the data in the lookup and send it to an index using collect command as there is no alert action to send the data to an index by default in Splunk. 

shivanshu1593_0-1675271612583.png


++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎01-31-2023 06:49 AM

There is a much easier solution for your requirement. You can use the collect command to route the data of your search to your desired index. You can even specify a sourcetype of your choice, but that will result into the data being counted against your license. By default, collect command uses sourcetype as stash. Please consider that while doing this.

 

your search
| collect index=<your_index>

 

More about the command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect

+++ Please consider accepting as an answer if this helps +++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

simon_b
Path Finder
‎01-31-2023 09:59 AM

@shivanshu1593 Thanks for your answer.

The thing is that I don't want to do the data collection in my search as it would cause the "Throttle" option not to work.

0 Karma
Reply
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎02-01-2023 09:14 AM

Hello Simon,

Thank you for providing additional context about your requirement. To make sure that you use the throttling part by saving the search as an alert, you can output the results of the search to a lookup using the alert action for sending data to a lookup and choosing the append or override results as per your convenience and then create another alert to use the data in the lookup and send it to an index using collect command as there is no alert action to send the data to an index by default in Splunk. 

shivanshu1593_0-1675271612583.png


++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Reply
Solved! Jump to solution

simon_b
Path Finder
‎02-02-2023 03:13 AM

Hi Shiv,

thanks again for the answer.

I actually was aware of that solution, but don't find it very elegant or efficient. Facing that there is no better solution, I think I'll do it like you explained.

0 Karma
Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-02-2023 05:54 AM

Hello Simon,

Since Splunk doesn't offer an alert action for exporting results to an index, unfortunately this is the only way via UI. You can always file this as an enhancement request for future versions of Splunk.

Best wishes,

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top