Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to combine these two search results to create 1 alert?

jimmerb83
New Member
‎10-26-2017 02:33 PM

I have two very different search queries that I am having a hard time combining into one search.

Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in over 5 minutes:

| metadata type=hosts index=* | search host=WinServer1 | where now()-lastTime>=300 | table host lastTime | eval lastTime=strftime(lastTime, "%c")

Search 2 ingests the Windows Update Logs (C:\Windows\WindowsUpdate.log) and searches for the log entry "AU initiates service shutdown" which is generated when the server is shut down gracefully:

host=WinServer1 "AU initiates service shutdown"

The purpose of combining these searches is to create two alerts: One that will indicate the server has been shut down gracefully and another if the server has experience a hard shutdown.

For example, if the server has a graceful shutdown, the search terms would be combined as: Search 1 AND Search 2.

If the server has a hard shutdown, the search terms would be combined as: Search 1 NOT Search 2.

I am unable to find the right way to use boolean operators to combine these 2 searches, and am not sure if it would be even possible considering they are both looking for very different data. Any help is greatly appreciated.

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎10-26-2017 03:40 PM

Try something like this...

(your search 1)
OR (your search 2)
| fields host lastTime   whatever you want to see from either search
| where (test for search 1 AND now()-lastTime>=300) OR (test for search 2)
| eval shutdown = case(test for search 2,"Graceful")
| stats values(*) as * by host
| eval shutdown = coalesce(shutdown,"Hard")
0 Karma
Reply
The Latest From the Splunk Community!