Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trigger a report based on an event

brettcave
Builder
‎08-23-2013 04:35 AM

Is it possible (and how) to trigger a report to be run based on an event? I have a batch processor that logs to splunk. there are 2 types of events - 1 is job metadata, and the other is job run specifics:

JOB METADATA action=start name=MyJob runId=foobar
JOB DETAIL id=1 action=update result=pass
JOB DETAIL id=2 action=update result=fail
JOB DETAIL id=3 action=delete result=pass
JOB DETAIL id=4 action=insert result=fail
JOB METADATA action=end name=MyJob duration=6300 runId=foobar

given these events, I could create a saved search called FailedModifications that gives all the details where result!=pass. But I would only like to run this report for runId=foobar (runId actually uses a date/time stamp), and only run it once the job completes. Something along the lines of using this search: eventtype=AJobAction action=end as a trigger for my "FailedModifications" saved search to run with an extra "runId" parameter. The FailedModifications search is configured as an alert that emails results (this is a requirement of what I'm trying to configure here).

Currently, I'm scheduling the FailedModifications report to run on a cron schedule, with a window matching the schedule intervals, but this is not an ideal configuration. Possible with splunk? if so, how?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-23-2013 07:52 AM

The main search looks like a transaction starting with action=start and finishing with action=end. I hope that you do not have multiple jobs in parallel, otherwise you need a field to join them, maybe the source...

If you are using a scheduled search, you can have your report calculated every time, but only sent if a condition is met. (presence of action=end and of result=fail)

it can be done by a simple | WHERE action=end AND of result=fail condition at the very end of the search, and an alert based on "if number of results > 0".

0 Karma
Reply

brettcave
Builder
‎08-26-2013 06:50 AM

cool, thanks yannK. Will give it a try and post back.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...