Splunk Search
Highlighted

three search in same page with alert and time span=3 month

Motivator

i want to do three different search in same page for time span is 3 month
i need a alert to be configured

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Motivator

any update?

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Motivator

Can you please provide more information.
What are you searching for? What are your searches? Is this a dashboard? What do you want to alert on?

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Motivator

no its not dashboard i want to do search to find 3 data count..all are different.
is there any way to do that apart from dashboard?

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Motivator

you need to provide more information
please give examples of the events you're searching and explain what counts you want

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Motivator

yes..
index=A sourectype=B "XXX" | stats count by XXX
index=A sourectype=B "YYY" | stats count by YYY
index=A sourectype=B "ZZZ" | stats count by ZZZ

i want these three table in one page and alert configured for this

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Champion

Is your alert depend on output of 3 different searches? Can you share your searches and alert conditions ?

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Champion

did you try usingappend command?

index=A sourectype=B "XXX" | stats count by XXX |append [search index=A sourectype=B "YYY" | stats count by YYY] | append [search index=A sourectype=B "ZZZ" | stats count by ZZZ]
Highlighted

Re: three search in same page with alert and time span=3 month

Motivator

thanks..please post this in answer tab

0 Karma
Highlighted

Re: three search in same page with alert and time span=3 month

Legend

@logloganathan you should explore the multisearch command which is not restricted by sub-search limitations

| multisearch 
    [search index=A sourcetype=B XXX=*]
    [search index=A sourcetype=B YYY=*]
    [search index=A sourcetype=B ZZZ=*]
| stats count by XXX YYY ZZZ

However, Splunk has numerous event grouping and correlation mechanisms based on the Use Cases and we can not always apply any one of the correlation mechanism for all the scenarios.

So you should elaborate on what exactly is your use case. If you are planning to pull 3 months of data to create an alert, could you rely on summary indexing instead? Community would be able to assist you better you add more context to your questions like what is your use case, what does your data look like? What have you tried so far and what does not seem to work?

I dont think a doctor should treat patient based on hunch rather the cure should be based upon symptoms!!! So for us to help you better add as much of details as possible to your questions 🙂




| eval message="Happy Splunking!!!"


View solution in original post

0 Karma