Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining multiple searches

anirbanukil
Explorer
‎02-29-2012 08:05 AM

I have three different (unique) searches which sends out alerts in case certain conditions are met. I want to send an alert if all the three alerts (as mentioned above) are fired for an escalation scenario. Please advice how this can be achieved.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

imrago
Contributor
‎02-29-2012 12:55 PM

Perhaps you could create an alert which would search for those three alerts in

index="_audit" action="alert_fired"

View solution in original post

Reply
Solved! Jump to solution
Solution

imrago
Contributor
‎02-29-2012 12:55 PM

Perhaps you could create an alert which would search for those three alerts in

index="_audit" action="alert_fired"

Reply
Solved! Jump to solution

imrago
Contributor
‎02-29-2012 01:59 PM

index=_audit action="alert_fired" ss_name=Alert1 OR ss_name=Alert2 OR ss_name=Alert3 | stats dc(ss_name) as alerts

and you should fire the alert if alerts = 3

0 Karma
Reply
Solved! Jump to solution

anirbanukil
Explorer
‎02-29-2012 01:35 PM

Thanks for the update but how can I search multiple alert names as an 'AND' condition.
Ex: Alert1 and Alert2 and Alert3 all have fired.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...