Solved: Is it possible to create an alert that does summar...

morethanyell · ‎10-26-2018

We got a working solution using saved searches (summary indexer and alert sending email) that does something like this:

# Name: our_good_saved_search
# Schedule: runs every 30 minutes
# Type: Summary Indexing Saved Search
# Description: Basically, what below does is it'll get logs from a raw index, put them in a summary index if the same logs aren't in the summary index yet

index=our_raw_index sourcetype=our_logs earliest=-5d@w1
| dedup Some, Unique, Fields,
| table Some, Unique, Fields, Just, Another, Column
| join type=left Some, Unique, Fields
    [ search index=our_summary_index source=our_good_saved_search earliest=-5d@w1
    | eval Excluder = 1 ]
| where isnull(Excluder)
| eval _time = now()
| table _time, Some, Unique, Fields, Just, Another, Column

# Name: our_good_email_sender
# Schedule: 1,31 * * * *
# Type: Alert With Send Email Action
# Description: Basically, what below does is when it detects new items, it'll send emails for each of them

index=our_summary_index source=our_good_saved_search earliest=-29min@min-1s@s
| table _time, Some, Unique, Fields, Just, Another, Column

We find it redundant since both are types of saved searches. We're wondering if it's possible that the whole thing can be done by just one alert basically like this:

index=our_raw_index sourcetype=our_logs earliest=-5d@w1
| dedup Some, Unique, Fields,
| table Some, Unique, Fields, Just, Another, Column
| join type=left Some, Unique, Fields
    [ search index=our_summary_index source=our_good_email_sender earliest=-5d@w1
    | eval Excluder = 1 ]
| where isnull(Excluder)
| eval _time = now()
| table _time, Some, Unique, Fields, Just, Another, Column
| summaryindex ...

Theoretically, the above code is an alert that would

Summary index its result
Send an email for each result.

I've already tried adding the action_summary.index=1 and action.summary_index._name = our_summary_index configs but they're not working.

If this is possible, please advise on what I am missing.

Thanks in advance.

woodcock · ‎11-07-2018

You need not use the alert actions; you can do the same thing with SPL. You can use collect to send data to a summary index and you can use sendemail to send results by email.

View solution in original post

woodcock · ‎11-07-2018

You need not use the alert actions; you can do the same thing with SPL. You can use collect to send data to a summary index and you can use sendemail to send results by email.

morethanyell · ‎11-09-2018

Hi. Thanks for the "collect".. It's working. However, I can't get to pass a random string to the "file" argument. It says that we need to do file=randomstring_event.stash.

How do you pass a random, say _time, there?

woodcock · ‎11-10-2018

Use marker and be aware that there has to be a comma and a space between the key=value pairs and if the value contains spaces or commas, it needs to be escape quoted. The stream should have an | addinfo included for the manual population of the index (backfill):

... Your Search Here
| addinfo
| collect index=mysummary marker="_time=foo, summary_span=3600, summary_method=bucket, search_name=\"vpn starts and stops\""

Vijeta · ‎10-26-2018

you can use collect command for summary indexing your search results and sendemail command for sending the email of search result.

Is it possible to create an alert that does summary indexing and sends an email?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Is it possible to create an alert that does summary indexing and sends an email?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?