Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Grab statistics for complex searches where eventtypes doesnt do the trick

Starlette
Contributor
‎05-10-2011 01:03 AM

Let say I have a few searches :

alert1
search | eval etc | stats count by field1, field2, etc

alert2
search | eval etc | stats count by field1, field2, etc

alert3
search | eval etc | stats count by field1, field2, etc

Now i want to make search for top alerts, though i cant make eventypes, whats the most handy way to get here ?

Tags (2)
0 Karma
Reply

Starlette
Contributor
‎05-12-2011 04:39 AM

Oke thanks, I am aware it isnt easy, this is just a general question, and the 3 searches are an example to decribe the functional fundamentals.
Bottemline is I have seperate searches which are running in notification if there is a (siem) hit, those are combis of eval, subsearches, lookups etc. So just wondered if i can run a top just like evettypes top.
On the dashboards i have per search, postprocesses, with linkswitches, intentions to drills etc etc..
I will diginto this later but appreantly its more complex then i was thinking ( just though i could group "search" results and simple count them....

0 Karma
Reply

southeringtonp
Motivator
‎05-11-2011 06:58 AM

A few approaches...

  1. Find out why you can't define eventttypes. Talk to your Splunk admin and have the eventttypes added for you, or ask for permissions to do it yourself.

  2. Use 'OR' conditions in your search string, and group by some field other than eventtype. signature or EventCode might be a good choice, depending on your alert conditions.

  3. Run your existing searches, but don't send email alerts. Instead, enable summary indexing. Run a separate search against the summary index for alerting.

  4. Run your existing searches, but don't send email alerts. If all you care about is the result count, you can search against index=internal SavedSplunker to find the number of results that matched. Then use savedsearch_name like you would eventtype.

  5. Use |append to run your three searches, and create your equivlalent to the eventtype field for each alert type using eval. Then pipe the whole mess into top or stats.

0 Karma
Reply

Starlette
Contributor
‎05-11-2011 03:56 AM

Stange that this one is devoted...the search hit is an alert and differs per alert (fi external lookup for fields which are allowed, or users who are logged into a system with non allowed name etc etc...

So if there is a search hit then its an alert....now i want a consolidated overview instread of a bunch of loose rangemap values.

0 Karma
Reply

hazekamp
Builder
‎05-10-2011 04:10 PM

What defines an alert? What defines alert count?

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...