Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index an Event based on the results of a Splunk Query.

lpolo
Motivator
‎02-12-2013 06:10 AM

I have an custom search command. It is scheduled to run every 5min. The results are indexed in a summary index.

I need to index the results of the custom search command, if and only if, the latest indexed event is not equal to the results of the custom search command.

Example:

1) Events found in index=custom

_time field=value field_A=value

2) Run custom search command at time_1:

|custom_search_command

Results:

_time field=value field_A=value

Events should not be indexed.

3) Run custom search command at time_2:

|custom_search_command

Results:

_time field=value_y field_A=value_x

The event should be index in index=custom. Therefore, at time "time_1": there should be 2 events in the summary index:

_time field=value field_A=value
_time_1 field=value_y field_A=value_x

Can a splunk search query get the result set of the custom search command, if and only if, the value of "field and field_A" are not found in the latest event stored in index=custom?

Thanks,
Lp

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:55 AM

Something like this should work: 

| custom_search_command | append [| index=custom | head 1 | table field field_A | eval isFromSummary="1"] | stats last(isFromSummary) as isFromSummary by field fieldA | where isnull(isFromSummary)

The custom command's output is appended to the last row from your summary index. Then we use stats to roll up all the combinations of field and fieldA. If the current result is the same as the summarized result there will be only one row, it'll have isFromSummary="1", and it'll get wiped out in the last where clause. And when a search result has 0 rows and it gets written to summary, I think nothing actually gets written.

And in the cases where the two results are different, our stats command wipes away the summary result, but leaves the single row that was our custom_search_command output.

Reply

lpolo
Motivator
‎02-21-2013 08:25 AM

Thanks.
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...