Splunk Search

How to set alerts to use the batch mode search?

svishnevskaya_s
Splunk Employee
Splunk Employee

In need of search string examples for:

Desired outcome:
Alert that shows N events in M amount of time or the lack of N events in M amount of time.

-For alert be to within parameters to qualify as BatchModeSearch

Requirements for batch mode search
Transforming searches that meet the following conditions can run in batch mode.

  • The searches need to use generating commands like search, loadjob, datamodel, pivot, or dbinspect.
  • The search can include transforming commands, like stats, chart, and so on. However the search cannot include commands like localize and transaction.
  • If the search is not distributed, it cannot use commands that require time-ordered events, like streamstats, head, and tail.
  • Confirm whether or not a search is running in batch mode by using the Search Job Inspector. Batch mode search is indicated by the boolean parameter isBatchModeSearch.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Configurebatchmodesearch

0 Karma

jrodman
Splunk Employee
Splunk Employee

If you write your search to be such a reporting type search that returns events if your condition is true and doesn't if your condition is false, you get what you want.

The search machinery, to use batch mode, has to be able to determine that there is nothing about the search that is going to require fetching the events strictly in time order. If the output of the search is the events themselves, it can't do that. However if you deal with counts, it can do that.

Simply determine the count as part of the search, rather than an alert post-action.

burwell
SplunkTrust
SplunkTrust

I am interested in examples. We have a number of alerts and where we alert on some threshold of events in the past 5/10/15 minutes.

We noticed that we could transform our alerts into "isBatchMode" alerts to take advantage of batch mode search by adding "| stats count". But it is nice to see the actual events or else information about the events rather than just a count number.

I welcome ideas on ways to convert searches into batch mode search alerts.

0 Karma

jrodman
Splunk Employee
Splunk Employee

The problem with the goal of wanting to see the events while run in batch mode is that the batch mode execution path cannot produce the events in time-order. That would make reviewing the event stream of the search extremely confusing in some cases, and would break our general contract in any event.

That said, there's a useful Enhancement Request in here somewhere, but I'm not sure what it is exactly. Maybe something like "we want the efficiency of batch mode searches for alerting, but .... we want to see the events." I'm not sure if that's "sometimes while troubleshooting, or "in the case the alert actually fires" or what. Basically the interface has to be usable and it has to work out to somehow be cheaper than not running the search in batch mode in the first place.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...