In need of search string examples for:
Desired outcome:
Alert that shows N events in M amount of time or the lack of N events in M amount of time.
-For alert be to within parameters to qualify as BatchModeSearch
Requirements for batch mode search
Transforming searches that meet the following conditions can run in batch mode.
The searches need to use generating commands like search, loadjob, datamodel, pivot, or dbinspect.
The search can include transforming commands, like stats, chart, and so on. However the search cannot include commands like localize and transaction.
If the search is not distributed, it cannot use commands that require time-ordered events, like streamstats, head, and tail.
Confirm whether or not a search is running in batch mode by using the Search Job Inspector. Batch mode search is indicated by the boolean parameter isBatchModeSearch.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Configurebatchmodesearch
... View more