Solved: Re: About setting alert (search)

honobe · ‎07-20-2017

I would like to compare the two logs and output the attachment file name to the alert if it is the same message ID.

For example, the A log and the B log are compared, and when the message ID is the same, the attached file name described in the B log is outputted to the alert.

Is this possible?
If it is possible,what kind of search sentences should I write?

DalJeanis · ‎07-21-2017

I believe that niketnilay's answer is pretty much what you need.

Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,

| multisearch 

      [search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]

      [search index = Blog  your other search terms  | fields index messageID filename]

 | whatever you omitted

 | stats count as eventcount values(*) as * by messageID

View solution in original post

DalJeanis · ‎07-21-2017

I believe that niketnilay's answer is pretty much what you need.

Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,

| multisearch 

      [search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]

      [search index = Blog  your other search terms  | fields index messageID filename]

 | whatever you omitted

 | stats count as eventcount values(*) as * by messageID

honobe · ‎07-25-2017

Thank you very much.
I thank everyone who responded.

niketn · ‎07-20-2017

@honobe, it will be easier for us to assist if you provide sample/mocked data and field names from log A and log B.

If two sources/sourcetypes for log A and log B are different and both have messageID field, you are looking for stats command to correlate them and alert when number of result > 0

sourcetype="logA" OR sourcetype="logB" messageID=*
| stats count as eventcount values(sourcetype) as sourcetypes by messageID
| search eventcount>1 sourcetype="logA" AND sourcetype="logB"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

honobe · ‎07-20-2017

Thank you for answers.
I am sorry that there is little explanation.

Currently only A logs are acquired.
The attached file name is not displayed in the A log, I will try to acquire it from the B log.
* The attached file name is displayed in the B log.

Therefore, compare the message IDs of the A log and B log, and in the same case, want to be able to output the attachment file name of the B log.

Currently the following search sentences are used.

Index = A log logtype = message_log from = "" subject = ""
| 【omitted】
| table subject, count, from
| collect index = xxx source = "yyy" sourcetype = generic_single_line

I would like to add the attached file name to the output result of the search sentence that is finally being used.
I would like to display the attachment file name that is linked to the message ID

sbbadri · ‎07-21-2017

@honobe

Then you can use sendemail command on the query itself.

your base search | sendemail to=example@splunk.com server=mail.example.com subject="$message_id$ " message="$message_id$" sendresults=true format=raw sendpdf=true

I hope it helps

DalJeanis · ‎07-20-2017

@niketnilay - add values(filename) as filename

About setting alert (search)

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk