Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk scheduled search across different indexes

Mag2sub
Path Finder
‎01-14-2014 04:45 PM

We have a search that is scheduled to run across several different,diverse index...this serach also trigger only when number of events > than x number of events ...how do we ensure that although we have a common search ...the number of events condition is satisfied only if its coming from only the same index as previous

..ie we have index a,b,c,d and we have a search that does not hardcode index and the role of the user maps to all indexes by default ...when we run a conditional search to trigger if ...how do we ensure that say trigger > 25 event count is satisfied only if we see 25 events from individual" a "index and not 25 aggregate across indexes

Appreciate !

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎01-14-2014 06:16 PM

When you set your alert trigger condition, instead of using one of the pre-built conditions like "number of events", choose "custom condition" and in the custom condition, put

stats count by index | where count >= 25
0 Karma
Reply

lukejadamec
Super Champion
‎01-14-2014 05:29 PM

You could post your search, so we can review it for syntax or method issues. Or, you could test it under the conditions you specified.

From the details you posted, I can assure you that If all of the forwarders are online and latency is not a factor, then a properly configured multi index search will not affect the conditional alert.

This answer is given under the assumption that when you say "conditional search" you mean to say "conditional alert".

0 Karma
Reply

Mag2sub
Path Finder
‎01-14-2014 06:36 PM

Could you clarify your answer against ..no forwarders involved ips's from different departments logging each to their own index
a simple ex : search sigid=1545 across ips logs from multiple department (aka each department has their own index" conditional alert event count > 25 ...and this cannot be triggered if event count is aggregated across all indexes but rather only if 25 event count is met from same index every time (please note user role has access setuo to search all indexes by default)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...