Reporting

Scheduled saved search based on an a specific event in a log

skavuluri
Engager

How do we setup a scheduled saved search that generates a result set emailed to a set of users based on a specific message detected in another file.

Step 1 // A given Saved search runs every 30 mins schedule.

Step 2 // generate a daily report if and only if
// a certain "GOODBYE MESSAGE" is detected in another log in that last 30 min interval.

Step3 //If not found in step2, the Saved search repeats itself every 30 mins until GOODBYE MESSAGE is detected.

Tags (3)
0 Karma
1 Solution

vlapeintuit
Explorer

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

View solution in original post

vlapeintuit
Explorer

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

skavuluri
Engager

Thanks for your input. That's only partial search. Once we find that goodbye message (coutn >1) we want to trigger another search which I was referring to in step1. So in essence something like this -
//IF GOODBYE MESSAGE FOUND from first search,
//THEN RUN a second search to harvest certain data for the last 12 hours.

This seem to fit more in subsearch category but we could not get it to work the way we want it to.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...