Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to combine these two search results to create 1 alert?

jimmerb83
New Member
‎10-26-2017 02:33 PM

I have two very different search queries that I am having a hard time combining into one search.

Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in over 5 minutes:

| metadata type=hosts index=* | search host=WinServer1 | where now()-lastTime>=300 | table host lastTime | eval lastTime=strftime(lastTime, "%c")

Search 2 ingests the Windows Update Logs (C:\Windows\WindowsUpdate.log) and searches for the log entry "AU initiates service shutdown" which is generated when the server is shut down gracefully:

host=WinServer1 "AU initiates service shutdown"

The purpose of combining these searches is to create two alerts: One that will indicate the server has been shut down gracefully and another if the server has experience a hard shutdown.

For example, if the server has a graceful shutdown, the search terms would be combined as: Search 1 AND Search 2.

If the server has a hard shutdown, the search terms would be combined as: Search 1 NOT Search 2.

I am unable to find the right way to use boolean operators to combine these 2 searches, and am not sure if it would be even possible considering they are both looking for very different data. Any help is greatly appreciated.

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎10-26-2017 03:40 PM

Try something like this...

(your search 1)
OR (your search 2)
| fields host lastTime   whatever you want to see from either search
| where (test for search 1 AND now()-lastTime>=300) OR (test for search 2)
| eval shutdown = case(test for search 2,"Graceful")
| stats values(*) as * by host
| eval shutdown = coalesce(shutdown,"Hard")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...