Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create notable events alert if any of correlation searches get skipped?

manojannabathin
Loves-to-Learn Everything
‎01-24-2023 04:20 AM

How can i create notable events alert if any of correlation searches is getting skipped?

Labels (1)
Labels
0 Karma
Reply

shivanshu1593
Builder
‎01-30-2023 09:03 AM

Try the following:

index=_internal sourcetype=scheduler status=skipped
| stats values(reason) as reason, count by savedsearch_name


When you run the search, let it execute, then click on "Save As" on the top right hand corner, then click on save as alert, fill in the details in the dialogue box which is pretty straight forward (If you want all results in one email, select in the dialogue box Once, if you want an individual email for each search, then select for each results) and then select the alert action as per your requirement. Ex: Send email alert action to send an email to you and others.

Hope this helps.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 10:42 AM

This is good, but it will return all skipped searches, not just correlation searches.  Since the Scheduler log does not distinguish CSs from ordinary scheduled searches, we need to filter by CS name.  We can get a list of all CS names using REST.

index=_internal sourcetype=scheduler status=skipped host=<<my SH>>
[ | rest /services/saved/searches splunk_server=local 
  | search is_scheduled=1 disabled=0 action.correlationsearch.enabled=1 
  | fields title 
  | rename title as savedsearch_name 
  | format ]
---
If this reply helps you, Karma would be appreciated.
Reply

manojannabathin
Loves-to-Learn Everything
‎02-03-2023 06:08 AM

This query is not working i cant see any results 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-03-2023 06:12 AM

Do you have access to the _internal index?  If not, you'll get no results.  Did you replace the placeholder following "host="?  Is the time range large enough to find skipped searches?

Have you tried running the subsearch by itself to verify it returns results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2023 08:59 AM

The Monitoring Console has a search for skipped searches.  See Search->Scheduler Activity.  Use that search as a model to create a CS that detects skipped searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manojannabathin
Loves-to-Learn Everything
‎01-30-2023 07:38 AM
  • I wanna create a alert for when the searches or alerts are skipped for correlation searches
0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...