Solved: How can i efficiently discard the event stream of ...

jrodman · ‎02-09-2011

Suppose I have a search such as

sourcetype=apache errors

which finds errors that I care about. Now, suppose I want to send these errors, on certain conditions, so I want to use the alert_condition feature of savedsearches.conf. Let's say the condition I want to use is that it is not working hours -- totally unrelated to the original search. However, alert_condition is fed the event stream from the original search.

How can I efficiently dump the original stream, when needed?

The best I can come up with is

alert_condition = head 1 | where 1=2 | append [search ....]

Can this be done more neatly?

jrodman · ‎02-16-2011

Apparently the 'best I could come up with' is the best we have.

That should be efficient, it's just a little ugly to read.

View solution in original post

jrodman · ‎02-16-2011

Apparently the 'best I could come up with' is the best we have.

That should be efficient, it's just a little ugly to read.

How can i efficiently discard the event stream of a search?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio