Is is possible to setup an alerting condition on a scheduled saved search what would turn around and launch another saved search?
This may seem like a weird request, but here are some scenarios I've come across this week where I think such a function may be helpful. Or perhaps an better alternative is out there. Either way, I'm looking for ideas.
pidvalue which has to be crossed referenced with other events to get other relevant fields (username, local_ip, remote_ip,...). What would be nice is to have one scheduled saved search that looks for this scenario, which would then trigger another more-detailed saved search that reports the full-detail via an email alert action. (This second saved search is not scheduled, it is only run on demand.) That way, the heavy-duty (more resource intensive) search only runs on an as-needed basis, which is triggered by a lighter-weight regularly scheduled search.
I've thought of a few ways to jerry-rig this, but nothing stands out as a good idea at the moment. If there is a way to use an triggered action script to make an API call to splunkd to setup a scheduled savedsearch to run just once, or a "run-now" mode that could probably do the trick.
The thing I like about having one scheduled saved search trigger another saved search is that such a mechanism could be done from within the scheduler and could therefore be managed and controlled by it.
Any thoughts or ideas?
Since I really haven't received any helpful feedback on this, and I'm not very good at sitting still, I've started working on my own solution to this problem by attempting to create a custom alerting action which will run a custom search command, which in turn will trigger the execution of a secondary saved search.
I've run into an issue getting the custom alerting action working, but again I'm just trying to figure out what I can based on existing config files.
I've had some success getting a custom search command to launch a saved search, but I've run into an bug that prevents the authentication session key from being usable by a search command.
@Paolo, I was wondering that too. But the answer I received is that can't really abort a search like this. There is really no flow control mechanism provided by splunk short of the alerting condition of a saved search. See related: http://answers.splunk.com/questions/4472/can-a-search-be-terminated-prematurely-based-on-a-condition...
This is very interesting.
Whould there be a way to abort the search execution without raising an error?
Because you could then add a custom search command which, in case reads zero-input results, aborts the search. Something like this:
"lightsearch" | abortonnoresults | search "heavysearch" | ...
Yes, that is correct. I do want to use conditional alerting. But I want to use it in a way that is not coved in the docs. I would like to use a conditional alert that runs a secondary saved search and I want that secondary search to actually be the search that launches the alerting action. Perhaps my question was unclear.