Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to chain searches?

daniel333
Builder
‎03-19-2018 01:26 PM

All,

A user just asked me this, any ideas on how to do this?

Splunkj Q: is the following supported?
I create an alert with a search trigger condition. If alert is triggered, run a different query, dump the results of that second query in an email to me
i.e., I want an alert to trigger a secondary search (because this additional search would contain useful diag. info on the main problem that triggered the alert originally) and have that secondary search data as the email (edited)

concretely
alert trigger: index=siebel "SBL-EAI-04117" earliest=-5m | stats count | where count>200 (edited)
if triggered, execute: index=siebel "SBL-EAI-04117" earliest=-60m | bin _time span=5m | stats count by _time | sort _time
(if error count threshold breached, show me the last 60 minutes of data in an email)

Tags (2)
Reply

pradeepkumarg
Influencer
‎03-19-2018 02:10 PM

You could do this in just one search

index=siebel "SBL-EAI-04117" earliest=-60m | bin _time span=5m | stats count by _time | sort _time | eventstats first(count) as last_5min | search last_5min > 200
0 Karma
Reply

elliotproebstel
Champion
‎03-19-2018 02:05 PM

Might be a better way, but this should work:

index=siebel "SBL-EAI-04117" earliest=-60m 
| bin _time span=5m 
| stats count by _time 
| sort _time
| eventstats latest(count) AS 5m_count
| where '5m_count'>200
| fields - '5m_count'

And then send an alert if the result count is not zero. The eventstats line will find the count from the latest 5 minutes, apply that count to all events, and then retain only the events where the 5m_count field is greater than 200. Because it'll be the same value for all events, it will either retain all events or throw away all of them.

Reply

pradeepkumarg
Influencer
‎03-19-2018 02:11 PM

Saw your answer after submitting mine. Pretty close 🙂

Reply

elliotproebstel
Champion
‎03-19-2018 02:20 PM

Gives me more confidence that this is the right way! 🙂 Great minds and all that...

Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...