Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a Token to get all fields from a search result?

simon_b
Path Finder
‎06-19-2023 07:49 AM

I would like to use the "Log Event" alert action to store all fields that are in the result of the search into an index.

 

Is there a token (like $result.fieldname$) which gives back not only one specified field of the result but all fields?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2023 09:08 AM

It depends on your search - the events returned from the first part of your search would normally have an _raw field. However, this is often parsed down to a few fields, and if you have something like a stats or table command in your search, the _raw field is more than likely removed from the events.

Added to which in an alert, you only have access to the first result, so unless all the data is available in that first result, you won't be able to retrieve it.

Having said all that, if you simply want to write some events to a summary index, you can do that in your alert, however, I would caution you to make sure you understand the consequences.

0 Karma
Reply

simon_b
Path Finder
‎06-20-2023 08:05 AM

@ITWhisperer Thanks for the answer.

You are right, the _raw field is removed completly.

 

Yes, I want to write some events to a summary index and I am aware of the collect command. The problem is, that I cannot use the Throttle option if I do it that way.

 

So my main goal would be to write some events to a summary index using an Alert Action to do that.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-20-2023 08:12 AM

Please explain how you are trying to use the throttle option and why writing to a summary index is not appropriate for you?

0 Karma
Reply

simon_b
Path Finder
‎06-23-2023 04:27 AM

@ITWhisperer I want to use the throttle option to stop writing to the summary index for a certain amount of time after some events have been written to the index.

 

Example:

  • An event is written to the summary index
  • After that, use throttle option to stop writing to summary index for x hours (even if there would be events to be written it should be blocked)
  • After x hours: If there are new events --> Write them to summary index again and block it again for x hours
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...