Getting Data In

Shell script execution after a search and outputcsv

plongpre
Engager

Hi,
I'm trying to run the following query:
index=alerts Status="Open" AlertId="30822ac3b4a6138de30c5726e2e05931"|table _time, AlertId, host, user, AlertMsg, "Close", |head 1
|outputcsv updatedalert | movealert

movealert at the end of the query is a batch file hosted on my server.
If I run the first part of the command, it creates the updatedalert.csv file as expected.
If I run a search only with "| movealert" alone, the script executes and moves the files to my lookup directory.
But when I try to run both command combined, none of them executes as if one was blocking the other.

Any idea if (and how) I can this to work?

Tags (1)
0 Karma
1 Solution

anjambha
Communicator

Hi..

try below query..

| movealert [search index=alerts Status="Open" AlertId="30822ac3b4a6138de30c5726e2e05931"|table _time, AlertId, host, user, AlertMsg, "Close", |head 1
|outputcsv updatedalert | return NULL]

View solution in original post

anjambha
Communicator

Hi..

try below query..

| movealert [search index=alerts Status="Open" AlertId="30822ac3b4a6138de30c5726e2e05931"|table _time, AlertId, host, user, AlertMsg, "Close", |head 1
|outputcsv updatedalert | return NULL]

plongpre
Engager

Works perfectly! Thanks a lot anjambha!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...