Savedsearches logevent action: how to ensure all a...

koshyk · ‎11-02-2021

folks, we had to do summary indexing of alerts created by savedsearches. This has been accomplished by logevent (Though its NOT well documented in splunk docs). I've used https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch to setup and the tokens are all working good.

The settings are like below

logevent.param.index: test
logevent.param.sourcetype: my_summary_index_st
logevent.param.event: $name$ $result.*$

BUT , only the FIRST alert is captured by the $result.*$ token.

Any idea how to ensure the entire events from the alert are captured? (`$results.*$` is NOT working)

PS: I've put a feedback to the docs team to update all the parameters, but the docs are lacking a lot compared to the alert functionalities

ITWhisperer · ‎11-02-2021

Combine your results into a single row

P.S. It is documented in a number of places that $result.*$ only gives access to the first result row in the set.

splunkreal · ‎03-30-2023

Hello,

found out my scheduled logevent reports (saved searches) were only inserting one row.

I had to open search then save as alert and trigger on "each event"

This should be enhancement request / well documented 🙂

* If this helps, please upvote or accept solution 🙂 *

koshyk · ‎11-02-2021

Unfortunately the savedsearch logic is not within our control but by client. Also it may impact other elements like webhook/emails etc. if the manipulation happens at search level.

Savedsearches logevent action: how to ensure all alerts are captured?

alert action

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success