Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trigger a report based on an event

brettcave
Builder
‎08-23-2013 04:35 AM

Is it possible (and how) to trigger a report to be run based on an event? I have a batch processor that logs to splunk. there are 2 types of events - 1 is job metadata, and the other is job run specifics:

JOB METADATA action=start name=MyJob runId=foobar
JOB DETAIL id=1 action=update result=pass
JOB DETAIL id=2 action=update result=fail
JOB DETAIL id=3 action=delete result=pass
JOB DETAIL id=4 action=insert result=fail
JOB METADATA action=end name=MyJob duration=6300 runId=foobar

given these events, I could create a saved search called FailedModifications that gives all the details where result!=pass. But I would only like to run this report for runId=foobar (runId actually uses a date/time stamp), and only run it once the job completes. Something along the lines of using this search: eventtype=AJobAction action=end as a trigger for my "FailedModifications" saved search to run with an extra "runId" parameter. The FailedModifications search is configured as an alert that emails results (this is a requirement of what I'm trying to configure here).

Currently, I'm scheduling the FailedModifications report to run on a cron schedule, with a window matching the schedule intervals, but this is not an ideal configuration. Possible with splunk? if so, how?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-23-2013 07:52 AM

The main search looks like a transaction starting with action=start and finishing with action=end. I hope that you do not have multiple jobs in parallel, otherwise you need a field to join them, maybe the source...

If you are using a scheduled search, you can have your report calculated every time, but only sent if a condition is met. (presence of action=end and of result=fail)

it can be done by a simple | WHERE action=end AND of result=fail condition at the very end of the search, and an alert based on "if number of results > 0".

0 Karma
Reply

brettcave
Builder
‎08-26-2013 06:50 AM

cool, thanks yannK. Will give it a try and post back.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...