Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index an Event based on the results of a Splunk Query.

lpolo
Motivator
‎02-12-2013 06:10 AM

I have an custom search command. It is scheduled to run every 5min. The results are indexed in a summary index.

I need to index the results of the custom search command, if and only if, the latest indexed event is not equal to the results of the custom search command.

Example:

1) Events found in index=custom

_time field=value field_A=value

2) Run custom search command at time_1:

|custom_search_command

Results:

_time field=value field_A=value

Events should not be indexed.

3) Run custom search command at time_2:

|custom_search_command

Results:

_time field=value_y field_A=value_x

The event should be index in index=custom. Therefore, at time "time_1": there should be 2 events in the summary index:

_time field=value field_A=value
_time_1 field=value_y field_A=value_x

Can a splunk search query get the result set of the custom search command, if and only if, the value of "field and field_A" are not found in the latest event stored in index=custom?

Thanks,
Lp

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:55 AM

Something like this should work: 

| custom_search_command | append [| index=custom | head 1 | table field field_A | eval isFromSummary="1"] | stats last(isFromSummary) as isFromSummary by field fieldA | where isnull(isFromSummary)

The custom command's output is appended to the last row from your summary index. Then we use stats to roll up all the combinations of field and fieldA. If the current result is the same as the summarized result there will be only one row, it'll have isFromSummary="1", and it'll get wiped out in the last where clause. And when a search result has 0 rows and it gets written to summary, I think nothing actually gets written.

And in the cases where the two results are different, our stats command wipes away the summary result, but leaves the single row that was our custom_search_command output.

Reply

lpolo
Motivator
‎02-21-2013 08:25 AM

Thanks.
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...