Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scheduled saved search based on an a specific event in a log

skavuluri
Engager
‎10-07-2011 11:33 AM

How do we setup a scheduled saved search that generates a result set emailed to a set of users based on a specific message detected in another file.

Step 1 // A given Saved search runs every 30 mins schedule.

Step 2 // generate a daily report if and only if
// a certain "GOODBYE MESSAGE" is detected in another log in that last 30 min interval.

Step3 //If not found in step2, the Saved search repeats itself every 30 mins until GOODBYE MESSAGE is detected.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vlapeintuit
Explorer
‎10-10-2011 01:43 PM

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

View solution in original post

Reply
Solved! Jump to solution
Solution

vlapeintuit
Explorer
‎10-10-2011 01:43 PM

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

Reply
Solved! Jump to solution

skavuluri
Engager
‎10-14-2011 01:33 PM

Thanks for your input. That's only partial search. Once we find that goodbye message (coutn >1) we want to trigger another search which I was referring to in step1. So in essence something like this -
//IF GOODBYE MESSAGE FOUND from first search,
//THEN RUN a second search to harvest certain data for the last 12 hours.

This seem to fit more in subsearch category but we could not get it to work the way we want it to.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...