Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trigger a report based on an event

brettcave
Builder
‎08-23-2013 04:35 AM

Is it possible (and how) to trigger a report to be run based on an event? I have a batch processor that logs to splunk. there are 2 types of events - 1 is job metadata, and the other is job run specifics:

JOB METADATA action=start name=MyJob runId=foobar
JOB DETAIL id=1 action=update result=pass
JOB DETAIL id=2 action=update result=fail
JOB DETAIL id=3 action=delete result=pass
JOB DETAIL id=4 action=insert result=fail
JOB METADATA action=end name=MyJob duration=6300 runId=foobar

given these events, I could create a saved search called FailedModifications that gives all the details where result!=pass. But I would only like to run this report for runId=foobar (runId actually uses a date/time stamp), and only run it once the job completes. Something along the lines of using this search: eventtype=AJobAction action=end as a trigger for my "FailedModifications" saved search to run with an extra "runId" parameter. The FailedModifications search is configured as an alert that emails results (this is a requirement of what I'm trying to configure here).

Currently, I'm scheduling the FailedModifications report to run on a cron schedule, with a window matching the schedule intervals, but this is not an ideal configuration. Possible with splunk? if so, how?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-23-2013 07:52 AM

The main search looks like a transaction starting with action=start and finishing with action=end. I hope that you do not have multiple jobs in parallel, otherwise you need a field to join them, maybe the source...

If you are using a scheduled search, you can have your report calculated every time, but only sent if a condition is met. (presence of action=end and of result=fail)

it can be done by a simple | WHERE action=end AND of result=fail condition at the very end of the search, and an alert based on "if number of results > 0".

0 Karma
Reply

brettcave
Builder
‎08-26-2013 06:50 AM

cool, thanks yannK. Will give it a try and post back.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...