Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to combine these two search results to create 1 alert?

jimmerb83
New Member
‎10-26-2017 02:33 PM

I have two very different search queries that I am having a hard time combining into one search.

Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in over 5 minutes:

| metadata type=hosts index=* | search host=WinServer1 | where now()-lastTime>=300 | table host lastTime | eval lastTime=strftime(lastTime, "%c")

Search 2 ingests the Windows Update Logs (C:\Windows\WindowsUpdate.log) and searches for the log entry "AU initiates service shutdown" which is generated when the server is shut down gracefully:

host=WinServer1 "AU initiates service shutdown"

The purpose of combining these searches is to create two alerts: One that will indicate the server has been shut down gracefully and another if the server has experience a hard shutdown.

For example, if the server has a graceful shutdown, the search terms would be combined as: Search 1 AND Search 2.

If the server has a hard shutdown, the search terms would be combined as: Search 1 NOT Search 2.

I am unable to find the right way to use boolean operators to combine these 2 searches, and am not sure if it would be even possible considering they are both looking for very different data. Any help is greatly appreciated.

0 Karma
Reply

DalJeanis
Legend
‎10-26-2017 03:40 PM

Try something like this...

(your search 1)
OR (your search 2)
| fields host lastTime   whatever you want to see from either search
| where (test for search 1 AND now()-lastTime>=300) OR (test for search 2)
| eval shutdown = case(test for search 2,"Graceful")
| stats values(*) as * by host
| eval shutdown = coalesce(shutdown,"Hard")
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...