Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Grab statistics for complex searches where eventtypes doesnt do the trick

Starlette
Contributor
‎05-10-2011 01:03 AM

Let say I have a few searches :

alert1
search | eval etc | stats count by field1, field2, etc

alert2
search | eval etc | stats count by field1, field2, etc

alert3
search | eval etc | stats count by field1, field2, etc

Now i want to make search for top alerts, though i cant make eventypes, whats the most handy way to get here ?

Tags (2)
0 Karma
Reply

Starlette
Contributor
‎05-12-2011 04:39 AM

Oke thanks, I am aware it isnt easy, this is just a general question, and the 3 searches are an example to decribe the functional fundamentals.
Bottemline is I have seperate searches which are running in notification if there is a (siem) hit, those are combis of eval, subsearches, lookups etc. So just wondered if i can run a top just like evettypes top.
On the dashboards i have per search, postprocesses, with linkswitches, intentions to drills etc etc..
I will diginto this later but appreantly its more complex then i was thinking ( just though i could group "search" results and simple count them....

0 Karma
Reply

southeringtonp
Motivator
‎05-11-2011 06:58 AM

A few approaches...

  1. Find out why you can't define eventttypes. Talk to your Splunk admin and have the eventttypes added for you, or ask for permissions to do it yourself.

  2. Use 'OR' conditions in your search string, and group by some field other than eventtype. signature or EventCode might be a good choice, depending on your alert conditions.

  3. Run your existing searches, but don't send email alerts. Instead, enable summary indexing. Run a separate search against the summary index for alerting.

  4. Run your existing searches, but don't send email alerts. If all you care about is the result count, you can search against index=internal SavedSplunker to find the number of results that matched. Then use savedsearch_name like you would eventtype.

  5. Use |append to run your three searches, and create your equivlalent to the eventtype field for each alert type using eval. Then pipe the whole mess into top or stats.

0 Karma
Reply

Starlette
Contributor
‎05-11-2011 03:56 AM

Stange that this one is devoted...the search hit is an alert and differs per alert (fi external lookup for fields which are allowed, or users who are logged into a system with non allowed name etc etc...

So if there is a search hit then its an alert....now i want a consolidated overview instread of a bunch of loose rangemap values.

0 Karma
Reply

hazekamp
Builder
‎05-10-2011 04:10 PM

What defines an alert? What defines alert count?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...