Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a command that I can add to the search query in order to pass the results to the index?

splunknoob2
Observer
‎06-28-2022 06:49 AM

Hello,

I have a question regarding the indexing of search results. So, I have an alert that's currently active performing and search and passing the results to a particular event through log events, I would like to modify this job to run in a specific past time window, however I can't edit the job so I would like to be able to run the same search through the splunk search bar and pass the results to the index. I can run the search and get the results through the search but can't output it to the index.

Is there a command that I can add to the search query in order to pass the results to the index?

Thanks in advance.

Labels (3)
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-28-2022 06:57 AM

Hi @splunknoob2,

you could clone your alert in a new one that usually is disabled, instead the original one continue to work.

When you need to run it, you could modify the time frame or other parameters of the modified alert and run once.

In this way, you should continue to have all the actions of the original alert and a new one that you can modify without any change in the original one.

Only for my information, are you speaking of a Correlatin Search in ES or in an alert in another App?

Ciao.

Giuseppe

0 Karma
Reply

splunknoob2
Observer
‎06-30-2022 03:50 AM

Thank for your answer. However I cannot clone the job because there are several search heads in the environment and if I do it the job will only appear on the SH I am into (which usually isnt the "captain"). Is there a command to do it in the search bar something like "|logactions" that would take a expression like "action.logevent.param.event = _time=$result._time$" as a parameter? I tried collect however it does not work exactly as the log event action.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2022 04:49 AM

Hi @splunknoob2,

if you're using a Search Head Cluster, cloning a knowledhe obkect (like a Correlation Search) in one SH, the operation is replicated on the others.

The same operation is done if you modify some setting in a Correlation Search, but it's a best practice not modify a default Correlation Search, it's always better to clone it and modify the cloned one.

If instead you haven't a Cluster, you have to do the same things manually

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...