Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index an Event based on the results of a Splunk Query.

lpolo
Motivator
‎02-12-2013 06:10 AM

I have an custom search command. It is scheduled to run every 5min. The results are indexed in a summary index.

I need to index the results of the custom search command, if and only if, the latest indexed event is not equal to the results of the custom search command.

Example:

1) Events found in index=custom

_time field=value field_A=value

2) Run custom search command at time_1:

|custom_search_command

Results:

_time field=value field_A=value

Events should not be indexed.

3) Run custom search command at time_2:

|custom_search_command

Results:

_time field=value_y field_A=value_x

The event should be index in index=custom. Therefore, at time "time_1": there should be 2 events in the summary index:

_time field=value field_A=value
_time_1 field=value_y field_A=value_x

Can a splunk search query get the result set of the custom search command, if and only if, the value of "field and field_A" are not found in the latest event stored in index=custom?

Thanks,
Lp

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:55 AM

Something like this should work: 

| custom_search_command | append [| index=custom | head 1 | table field field_A | eval isFromSummary="1"] | stats last(isFromSummary) as isFromSummary by field fieldA | where isnull(isFromSummary)

The custom command's output is appended to the last row from your summary index. Then we use stats to roll up all the combinations of field and fieldA. If the current result is the same as the summarized result there will be only one row, it'll have isFromSummary="1", and it'll get wiped out in the last where clause. And when a search result has 0 rows and it gets written to summary, I think nothing actually gets written.

And in the cases where the two results are different, our stats command wipes away the summary result, but leaves the single row that was our custom_search_command output.

Reply

lpolo
Motivator
‎02-21-2013 08:25 AM

Thanks.
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...