Run searchname returned from a scheduled query as ...

Mag2sub · ‎04-29-2014

We have a a scheduled query that returns certain search names ...how do we automate such that the scheduled query that returns certain search names automatically runs those searches again ?
Appreciate inputs!

martin_mueller · ‎04-30-2014

Say your search returns a row per to-be-run saved search names in the field search, then you can run those using map:

your scheduled search returning a field search per row | map search="savedsearch $search$"

Mag2sub · ‎05-09-2014

Can we use the backfill summary index script without summary action and modify for alerts ?

martin_mueller · ‎04-30-2014

In that case time ranges and alert actions matter a lot as well - that complicates things a lot, I don't think there's a reasonable fully automatic one-search solution to that.

Mag2sub · ‎04-30-2014

Alerting searches

martin_mueller · ‎04-30-2014

What are those saved searches doing? Summary Indexing? Alerting? Reporting? ...?

Mag2sub · ‎04-30-2014

Now the scheduled search is returning some scheduled distributed search names which had at that schedule time lost connection with peer...when we use map wont it run the same search using a system time for schedule ...while we wanted the time the connectivity was lost as the schedule time ...how can we do the same ?

Run searchname returned from a scheduled query as a new search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life