Splunk Search

splunk scheduled search across different indexes

Mag2sub
Path Finder

We have a search that is scheduled to run across several different,diverse index...this serach also trigger only when number of events > than x number of events ...how do we ensure that although we have a common search ...the number of events condition is satisfied only if its coming from only the same index as previous

..ie we have index a,b,c,d and we have a search that does not hardcode index and the role of the user maps to all indexes by default ...when we run a conditional search to trigger if ...how do we ensure that say trigger > 25 event count is satisfied only if we see 25 events from individual" a "index and not 25 aggregate across indexes

Appreciate !

Tags (1)
0 Karma

lguinn2
Legend

When you set your alert trigger condition, instead of using one of the pre-built conditions like "number of events", choose "custom condition" and in the custom condition, put

stats count by index | where count >= 25
0 Karma

lukejadamec
Super Champion

You could post your search, so we can review it for syntax or method issues. Or, you could test it under the conditions you specified.

From the details you posted, I can assure you that If all of the forwarders are online and latency is not a factor, then a properly configured multi index search will not affect the conditional alert.

This answer is given under the assumption that when you say "conditional search" you mean to say "conditional alert".

0 Karma

Mag2sub
Path Finder

Could you clarify your answer against ..no forwarders involved ips's from different departments logging each to their own index
a simple ex : search sigid=1545 across ips logs from multiple department (aka each department has their own index" conditional alert event count > 25 ...and this cannot be triggered if event count is aggregated across all indexes but rather only if 25 event count is met from same index every time (please note user role has access setuo to search all indexes by default)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...