Re: Savedsearches logevent action: how to ensure a...

koshyk · ‎11-02-2021

folks, we had to do summary indexing of alerts created by savedsearches. This has been accomplished by logevent (Though its NOT well documented in splunk docs). I've used https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch to setup and the tokens are all working good.

The settings are like below

logevent.param.index: test
logevent.param.sourcetype: my_summary_index_st
logevent.param.event: $name$ $result.*$

BUT , only the FIRST alert is captured by the $result.*$ token.

Any idea how to ensure the entire events from the alert are captured? (`$results.*$` is NOT working)

PS: I've put a feedback to the docs team to update all the parameters, but the docs are lacking a lot compared to the alert functionalities

ITWhisperer · ‎11-02-2021

Combine your results into a single row

P.S. It is documented in a number of places that $result.*$ only gives access to the first result row in the set.

splunkreal · ‎03-30-2023

Hello,

found out my scheduled logevent reports (saved searches) were only inserting one row.

I had to open search then save as alert and trigger on "each event"

This should be enhancement request / well documented 🙂

* If this helps, please upvote or accept solution if it solved *

koshyk · ‎11-02-2021

Unfortunately the savedsearch logic is not within our control but by client. Also it may impact other elements like webhook/emails etc. if the manipulation happens at search level.

Savedsearches logevent action: how to ensure all alerts are captured?

alert action

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience