Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to combine these two search results to create 1 alert?

jimmerb83
New Member
‎10-26-2017 02:33 PM

I have two very different search queries that I am having a hard time combining into one search.

Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in over 5 minutes:

| metadata type=hosts index=* | search host=WinServer1 | where now()-lastTime>=300 | table host lastTime | eval lastTime=strftime(lastTime, "%c")

Search 2 ingests the Windows Update Logs (C:\Windows\WindowsUpdate.log) and searches for the log entry "AU initiates service shutdown" which is generated when the server is shut down gracefully:

host=WinServer1 "AU initiates service shutdown"

The purpose of combining these searches is to create two alerts: One that will indicate the server has been shut down gracefully and another if the server has experience a hard shutdown.

For example, if the server has a graceful shutdown, the search terms would be combined as: Search 1 AND Search 2.

If the server has a hard shutdown, the search terms would be combined as: Search 1 NOT Search 2.

I am unable to find the right way to use boolean operators to combine these 2 searches, and am not sure if it would be even possible considering they are both looking for very different data. Any help is greatly appreciated.

0 Karma
Reply

DalJeanis
Legend
‎10-26-2017 03:40 PM

Try something like this...

(your search 1)
OR (your search 2)
| fields host lastTime   whatever you want to see from either search
| where (test for search 1 AND now()-lastTime>=300) OR (test for search 2)
| eval shutdown = case(test for search 2,"Graceful")
| stats values(*) as * by host
| eval shutdown = coalesce(shutdown,"Hard")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...