Splunk Search

About setting alert (search)

Explorer

I would like to compare the two logs and output the attachment file name to the alert if it is the same message ID.

For example, the A log and the B log are compared, and when the message ID is the same, the attached file name described in the B log is outputted to the alert.

Is this possible?
If it is possible,what kind of search sentences should I write?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

I believe that niketnilay's answer is pretty much what you need.

Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,

| multisearch 

      [search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]

      [search index = Blog  your other search terms  | fields index messageID filename]

 | whatever you omitted

 | stats count as eventcount values(*) as * by messageID

View solution in original post

SplunkTrust
SplunkTrust

I believe that niketnilay's answer is pretty much what you need.

Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,

| multisearch 

      [search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]

      [search index = Blog  your other search terms  | fields index messageID filename]

 | whatever you omitted

 | stats count as eventcount values(*) as * by messageID

View solution in original post

Explorer

Thank you very much.
I thank everyone who responded.

0 Karma

SplunkTrust
SplunkTrust

@honobe, it will be easier for us to assist if you provide sample/mocked data and field names from log A and log B.

If two sources/sourcetypes for log A and log B are different and both have messageID field, you are looking for stats command to correlate them and alert when number of result > 0

sourcetype="logA" OR sourcetype="logB" messageID=*
| stats count as eventcount values(sourcetype) as sourcetypes by messageID
| search eventcount>1 sourcetype="logA" AND sourcetype="logB"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Explorer

Thank you for answers.
I am sorry that there is little explanation.

Currently only A logs are acquired.
The attached file name is not displayed in the A log, I will try to acquire it from the B log.
* The attached file name is displayed in the B log.

Therefore, compare the message IDs of the A log and B log, and in the same case, want to be able to output the attachment file name of the B log.

Currently the following search sentences are used.

Index = A log logtype = messagelog from = "" subject = ""
| 【omitted】
| table subject, count, from
| collect index = xxx source = "yyy" sourcetype = generic
single_line

I would like to add the attached file name to the output result of the search sentence that is finally being used.
I would like to display the attachment file name that is linked to the message ID

0 Karma

Motivator

@honobe

Then you can use sendemail command on the query itself.

your base search | sendemail to=example@splunk.com server=mail.example.com subject="$messageid$ " message="$messageid$" sendresults=true format=raw sendpdf=true

I hope it helps

0 Karma

SplunkTrust
SplunkTrust

@niketnilay - add values(filename) as filename

0 Karma