how to run a second search based on an alert that ...

Ruben_sb1 · ‎09-27-2021

Hi everyone.
I try to explain you.

For example:
I can detect when a user has been connected form a X country, in this moment splunk send me a email, and I need to starting a investigation to determinate if that event is known.

My question is:

How can i configure a second search when that alert has been trigged?

I would like Splunk run a search whit the information that it got from the alert.

I wouldn’t like to modify my original search because if a add this second search in my firs search My performance could be affected,

thanks and regards.

gcusello · ‎09-28-2021

Hi @Ruben_sb1,

you could save the results of the Alert's search in a lookup or (better) in a summary index.

So you have an index that contains all the fired alerts to use for your searches, dashboards and alerts.

You can easily reach this adding an action to your alert (Save in Lookup) or (I usually prefer this solution) adding at the end of your alert "| collect index=my_summary_alerts_index".

Ciao.

Giuseppe

how to run a second search based on an alert that has already been trigged

alert action

alert condition

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?