Reporting

Is it possible to merge results from last scheduled saved search with the latest run?

steven10172
Explorer

Is it possible to merge the results from the last run of the saved search with the newest run? I would like to be able to keep a report of the running average of some different values.

Results after 1st search:
Monday 10000
Tuesday 43000
Wednesday 15000

Results of next search:
Monday 12000
Tuesday 51000
Wednesday 19000

Report shows:
Monday 11000
Tuesday 47000
Wednesday 17000

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can achieve this by using loadjob command. It would require the saved search configuration in two steps.

A) Have your saved search created with the regular command and schedule and let it run for atleast once per schedule (so that you'd have previous run result)

index=_internal | stats count by sourcetype  

Runs every minute

B) Once its ran once, add following to the search string to append the result of last run and then summarize again.

index=_internal | stats count by sourcetype  ***new stuff starts here(delete this)***| append [| loadjob savedsearch="PutownerName:PutAppName:PutSavedSearchName" ] | stats count by sourcetype 

Now the next run will include the results from last run as well.

Remember, it will produce commulative effect.

Like
Run 1     Result 1
Run 2     Result 1+2
Run 3     Result 1,2 + 3
...
0 Karma

strive
Influencer

I assume that your scheduled saved search is run once a day.

Create a Summary index and index the summarized data at the end of every run. Using this summary index you can generate reports for any time range (Weekly, biweekly, monthly and etc..)

0 Karma

strive
Influencer

Ok. I tried with same configurations and it works perfectly fine.. Data gets stored in summary index also.

0 Karma

steven10172
Explorer

30 <4's> is what I actually have. The comment just truncates the last 2 's

0 Karma

strive
Influencer

Yeah i understood by taking a close look at the search. I followed your configurations with minor changes. Its working for me. The changes that i made are:
StartTime:-1d # This was default and i left it as-is
FinishTime: # This was blank and i left it as-is
cron: 30 * * * *
Rest all same settings.

Your cron schedule is wrong. 30 * * is not right. If you try to save that it will display an error

0 Karma

steven10172
Explorer

Yea, the search does work. the stuff in the [[[ is the configuration I used to setup the alert and summary indexing. I would look at the .conf files, but I don't have access to the servers.

0 Karma

strive
Influencer

Yes the storage preferences are part of indexes.conf file. Users can overrite the default settings by placing a copy of the file under /local directory

0 Karma

strive
Influencer

When i try to execute the search that you have given, it throws search parser error. Are you sure that it runs and giving you results.

0 Karma

steven10172
Explorer

If the storage preferences are in a .conf file I do not have access to them

0 Karma

steven10172
Explorer

| metasearch earliest=@h-1h latest=@h index=voice
| fields _time,host
| bucket _time span=1h
| bucket host
| stats count by _time,host
| eval month=strftime(_time, "%m")
| eval day=strftime(_time, "%d")
| eval dayOfWeek=strftime(_time, "%w")
| eval hour=strftime(_time, "%H")
| table host,month,day,dayOfWeek,hour,count
| sort host,hour,day
Alert Config:[[[StartTime:@h-1h, FinishTime:@h, Scheduled:cron[30 * * * *], Severity:info Expiration:24hr Summary Indexing: ENABLED, Summary Index: Summary, Add Fields:report=voice_import_count]]]

0 Karma

strive
Influencer

Can you post your search here. That will help us to see if you have scheduled it properly and also your storage preferences.

0 Karma

steven10172
Explorer

I've scheduled an alert to be summary indexed with my search and it doesn't seem to be running. When I click View Recent there are no reports stored there. But if I click Run I can see results. There also doesn't seem to be results in index=summary (The index I used). How can I tell what's going on with the search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...