Reporting

Is it possible to merge results from last scheduled saved search with the latest run?

Explorer

Is it possible to merge the results from the last run of the saved search with the newest run? I would like to be able to keep a report of the running average of some different values.

Results after 1st search:
Monday 10000
Tuesday 43000
Wednesday 15000

Results of next search:
Monday 12000
Tuesday 51000
Wednesday 19000

Report shows:
Monday 11000
Tuesday 47000
Wednesday 17000

0 Karma

SplunkTrust
SplunkTrust

You can achieve this by using loadjob command. It would require the saved search configuration in two steps.

A) Have your saved search created with the regular command and schedule and let it run for atleast once per schedule (so that you'd have previous run result)

index=_internal | stats count by sourcetype  

Runs every minute

B) Once its ran once, add following to the search string to append the result of last run and then summarize again.

index=_internal | stats count by sourcetype  ***new stuff starts here(delete this)***| append [| loadjob savedsearch="PutownerName:PutAppName:PutSavedSearchName" ] | stats count by sourcetype 

Now the next run will include the results from last run as well.

Remember, it will produce commulative effect.

Like
Run 1     Result 1
Run 2     Result 1+2
Run 3     Result 1,2 + 3
...
0 Karma

Influencer

I assume that your scheduled saved search is run once a day.

Create a Summary index and index the summarized data at the end of every run. Using this summary index you can generate reports for any time range (Weekly, biweekly, monthly and etc..)

0 Karma

Influencer

Ok. I tried with same configurations and it works perfectly fine.. Data gets stored in summary index also.

0 Karma

Explorer

30 <4's> is what I actually have. The comment just truncates the last 2 's

0 Karma

Influencer

Yeah i understood by taking a close look at the search. I followed your configurations with minor changes. Its working for me. The changes that i made are:
StartTime:-1d # This was default and i left it as-is
FinishTime: # This was blank and i left it as-is
cron: 30 * * * *
Rest all same settings.

Your cron schedule is wrong. 30 * * is not right. If you try to save that it will display an error

0 Karma

Explorer

Yea, the search does work. the stuff in the [[[ is the configuration I used to setup the alert and summary indexing. I would look at the .conf files, but I don't have access to the servers.

0 Karma

Influencer

Yes the storage preferences are part of indexes.conf file. Users can overrite the default settings by placing a copy of the file under /local directory

0 Karma

Influencer

When i try to execute the search that you have given, it throws search parser error. Are you sure that it runs and giving you results.

0 Karma

Explorer

If the storage preferences are in a .conf file I do not have access to them

0 Karma

Explorer

| metasearch earliest=@h-1h latest=@h index=voice
| fields time,host
| bucket _time span=1h
| bucket host
| stats count by _time,host
| eval month=strftime(
time, "%m")
| eval day=strftime(time, "%d")
| eval dayOfWeek=strftime(
time, "%w")
| eval hour=strftime(time, "%H")
| table host,month,day,dayOfWeek,hour,count
| sort host,hour,day
Alert Config:[[[StartTime:@h-1h, FinishTime:@h, Scheduled:cron[30 * * * *], Severity:info Expiration:24hr Summary Indexing: ENABLED, Summary Index: Summary, Add Fields:report=voice
import_count]]]

0 Karma

Influencer

Can you post your search here. That will help us to see if you have scheduled it properly and also your storage preferences.

0 Karma

Explorer

I've scheduled an alert to be summary indexed with my search and it doesn't seem to be running. When I click View Recent there are no reports stored there. But if I click Run I can see results. There also doesn't seem to be results in index=summary (The index I used). How can I tell what's going on with the search?

0 Karma