Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Grab statistics for complex searches where eventtypes doesnt do the trick

Starlette
Contributor
‎05-10-2011 01:03 AM

Let say I have a few searches :

alert1
search | eval etc | stats count by field1, field2, etc

alert2
search | eval etc | stats count by field1, field2, etc

alert3
search | eval etc | stats count by field1, field2, etc

Now i want to make search for top alerts, though i cant make eventypes, whats the most handy way to get here ?

Tags (2)
0 Karma
Reply

Starlette
Contributor
‎05-12-2011 04:39 AM

Oke thanks, I am aware it isnt easy, this is just a general question, and the 3 searches are an example to decribe the functional fundamentals.
Bottemline is I have seperate searches which are running in notification if there is a (siem) hit, those are combis of eval, subsearches, lookups etc. So just wondered if i can run a top just like evettypes top.
On the dashboards i have per search, postprocesses, with linkswitches, intentions to drills etc etc..
I will diginto this later but appreantly its more complex then i was thinking ( just though i could group "search" results and simple count them....

0 Karma
Reply

southeringtonp
Motivator
‎05-11-2011 06:58 AM

A few approaches...

  1. Find out why you can't define eventttypes. Talk to your Splunk admin and have the eventttypes added for you, or ask for permissions to do it yourself.

  2. Use 'OR' conditions in your search string, and group by some field other than eventtype. signature or EventCode might be a good choice, depending on your alert conditions.

  3. Run your existing searches, but don't send email alerts. Instead, enable summary indexing. Run a separate search against the summary index for alerting.

  4. Run your existing searches, but don't send email alerts. If all you care about is the result count, you can search against index=internal SavedSplunker to find the number of results that matched. Then use savedsearch_name like you would eventtype.

  5. Use |append to run your three searches, and create your equivlalent to the eventtype field for each alert type using eval. Then pipe the whole mess into top or stats.

0 Karma
Reply

Starlette
Contributor
‎05-11-2011 03:56 AM

Stange that this one is devoted...the search hit is an alert and differs per alert (fi external lookup for fields which are allowed, or users who are logged into a system with non allowed name etc etc...

So if there is a search hit then its an alert....now i want a consolidated overview instread of a bunch of loose rangemap values.

0 Karma
Reply

hazekamp
Builder
‎05-10-2011 04:10 PM

What defines an alert? What defines alert count?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...