- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking to write an alert that would query a report I have saved that runs every day. I would like it to look for certain fields in the report and if they match, to perform an action, is this possible?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this,
| savedsearch your_report_name | fields * | .......
please check below link,
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1/SearchReference/Savedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would use loadjob. http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Loadjob
Loadjob will use the results from a previously ran report, just make sure your time range encompasses the entire time frame of the report. In other words, if the report was ran this morning, but covered data for the previous month, make sure that you run loadjob for the previous month to now, at least that's my experience. You also need to make sure you're saving the results long enough. If you need to access the results only every 24 hours, then you only need to save them for 24 hours.
|loadjob savedsearch="username:appname:savedsearchname" |search field1=x.....
or use |where field1=field2 or just |fields field1 field2 depending on what you're trying to accomplish, exactly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this,
| savedsearch your_report_name | fields * | .......
please check below link,
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1/SearchReference/Savedsearch
