Splunk Search

About setting alert (search)

honobe
Explorer

I would like to compare the two logs and output the attachment file name to the alert if it is the same message ID.

For example, the A log and the B log are compared, and when the message ID is the same, the attached file name described in the B log is outputted to the alert.

Is this possible?
If it is possible,what kind of search sentences should I write?

Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

I believe that niketnilay's answer is pretty much what you need.

Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,

| multisearch 

      [search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]

      [search index = Blog  your other search terms  | fields index messageID filename]

 | whatever you omitted

 | stats count as eventcount values(*) as * by messageID

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

I believe that niketnilay's answer is pretty much what you need.

Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,

| multisearch 

      [search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]

      [search index = Blog  your other search terms  | fields index messageID filename]

 | whatever you omitted

 | stats count as eventcount values(*) as * by messageID

honobe
Explorer

Thank you very much.
I thank everyone who responded.

0 Karma

niketn
Legend

@honobe, it will be easier for us to assist if you provide sample/mocked data and field names from log A and log B.

If two sources/sourcetypes for log A and log B are different and both have messageID field, you are looking for stats command to correlate them and alert when number of result > 0

sourcetype="logA" OR sourcetype="logB" messageID=*
| stats count as eventcount values(sourcetype) as sourcetypes by messageID
| search eventcount>1 sourcetype="logA" AND sourcetype="logB"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

honobe
Explorer

Thank you for answers.
I am sorry that there is little explanation.

Currently only A logs are acquired.
The attached file name is not displayed in the A log, I will try to acquire it from the B log.
* The attached file name is displayed in the B log.

Therefore, compare the message IDs of the A log and B log, and in the same case, want to be able to output the attachment file name of the B log.

Currently the following search sentences are used.

Index = A log logtype = message_log from = "" subject = ""
| 【omitted】
| table subject, count, from
| collect index = xxx source = "yyy" sourcetype = generic_single_line

I would like to add the attached file name to the output result of the search sentence that is finally being used.
I would like to display the attachment file name that is linked to the message ID

0 Karma

sbbadri
Motivator

@honobe

Then you can use sendemail command on the query itself.

your base search | sendemail to=example@splunk.com server=mail.example.com subject="$message_id$ " message="$message_id$" sendresults=true format=raw sendpdf=true

I hope it helps

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@niketnilay - add values(filename) as filename

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...