Solved: Re: Scheduled saved search based on an a specific ...

skavuluri · ‎10-07-2011

How do we setup a scheduled saved search that generates a result set emailed to a set of users based on a specific message detected in another file.

Step 1 // A given Saved search runs every 30 mins schedule.

Step 2 // generate a daily report if and only if
// a certain "GOODBYE MESSAGE" is detected in another log in that last 30 min interval.

Step3 //If not found in step2, the Saved search repeats itself every 30 mins until GOODBYE MESSAGE is detected.

vlapeintuit · ‎10-10-2011

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

View solution in original post

vlapeintuit · ‎10-10-2011

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

skavuluri · ‎10-14-2011

Thanks for your input. That's only partial search. Once we find that goodbye message (coutn >1) we want to trigger another search which I was referring to in step1. So in essence something like this -
//IF GOODBYE MESSAGE FOUND from first search,
//THEN RUN a second search to harvest certain data for the last 12 hours.

This seem to fit more in subsearch category but we could not get it to work the way we want it to.

Scheduled saved search based on an a specific event in a log

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...