- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to use collect in an alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use collect in an alert
i have an alert that send email to my id when the event is triggered.
I also want the same alert to dump the data into my summary index.
I added | collect index=sumindex
at the end of my alert.
Alert still works and fires email, but is not writing anything to the summary index.
Can anyone help me where I am wrong or has a better way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a solution, but with splunk 7.0
It gives an option to output search resuts to a lookup.
I can then use the lookup to display the result.
Thanx for all the help...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunk_down, I have converted your comment to Answer. Please accept the same to mark this question as answered.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunk_down, collect command will work with real-time searches with All Time as selection. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect#Usage
does your search return single row or multiple? If it returns single row, you can use Alert Action to write to index directly using Alert Actions to Log Events and use default token for custom Alert Action: http://docs.splunk.com/Documentation/Splunk/latest/Alert/LogEvents
http://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the summary index already exist? Have you tried searching a larger time window than you think you need? In my experience, if I have a scheduled search that collects events into a summary index, the events will often be timestamped with the earliest time in the search window. (So, for example, if I searched noon-4pm, the events will be timestamped noon, even if they actually took place near 4pm.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes the summary index exists. the alert is set to real-time(need requires it to be real time). So cant work with increasing the schedule window.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
