Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scheduled saved search based on an a specific event in a log

skavuluri
Engager
‎10-07-2011 11:33 AM

How do we setup a scheduled saved search that generates a result set emailed to a set of users based on a specific message detected in another file.

Step 1 // A given Saved search runs every 30 mins schedule.

Step 2 // generate a daily report if and only if
// a certain "GOODBYE MESSAGE" is detected in another log in that last 30 min interval.

Step3 //If not found in step2, the Saved search repeats itself every 30 mins until GOODBYE MESSAGE is detected.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vlapeintuit
Explorer
‎10-10-2011 01:43 PM

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

View solution in original post

Reply
Solved! Jump to solution
Solution

vlapeintuit
Explorer
‎10-10-2011 01:43 PM

in the search query add "| stats count| where count > 1" to the end of your search. so for example my log looks like:

date time foo hello message
date time foo goodbye message

my search would be:
sourcetype="bla" "goodbye message" | stats count | where count >1

make it a saved search that runs every 30 min....

Reply
Solved! Jump to solution

skavuluri
Engager
‎10-14-2011 01:33 PM

Thanks for your input. That's only partial search. Once we find that goodbye message (coutn >1) we want to trigger another search which I was referring to in step1. So in essence something like this -
//IF GOODBYE MESSAGE FOUND from first search,
//THEN RUN a second search to harvest certain data for the last 12 hours.

This seem to fit more in subsearch category but we could not get it to work the way we want it to.

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...