I have an alert that sends emails when process count goes above a certain level. When these conditions are met, I would like Splunk to send an email with the output of another search command. For e.g.,
Alert search (already works):
index="os" host="host1*" sourcetype="top" COMMAND="httpd" | stats count
Follow-up search (run if previous alert's conditions are met):
index="apps" host="host1*" sourcetype="access*" | stats count(uri) by clientip,uri
How does one configure such (cascading?) alerts?
Try this.
Change the search of your current alert search to this and change the alert condition to "when number of greater than 0" . THis search will return events only if the where conditions are met.
index="os" host="host1*" sourcetype="top" COMMAND="httpd" | stats count | where count > YOURLIMIT| map search="search index="apps" host="host1*" sourcetype="access*" | stats count(uri) by clientip,uri"
That looks great, could you add a little bit of explanation of how this uses the map
command? I'm not sure I understand "Looping operator, performs a search over each search result." from the docs.