Splunk Search

combining multiple searches in alert

Path Finder


I have a daily error report for failed login. Its very easy one:

'user not found | append [search \"invalid password\"] | append [search \"invalid username\"] | stats count by sourcetype'

I made a scheduled report. It emails me as:
Sourcetype1 1000
Sourcetype2 4000
Sourcetype3 500

I want to change it so that it emails me for each query term rather than sourcetype. How to do that?


Re: combining multiple searches in alert

Splunk Employee
Splunk Employee

I think that per-result alerting will help you achieve your goal.