Re: How do I only run a search if another search g...

reillysg · ‎06-19-2015

I have 2 searches that are working but I would like to do the following. If search 1 generates a result, I would like to run search 2 and if the search count value of search 2 is over a 20, send an alert. Does anyone know if this is possible ?

Search 2
index=* source="gateway.backend.log" Connection timed-out | bucket_time span=30m | stats count by _time | search count>20

lguinn2 · ‎06-19-2015

You could do this by setting up search 1 to run as an alert - where the alert triggered a script that ran search 2 - and then search 2 had an alert condition as well. While this approach will absolutely work, it may be more complex than you want to tackle.

You could also combine the two searches into one, but that would always execute both searches - I don't know how to make one search execute conditionally.

A couple of notes about your searches: first, the | bucket _time span=1m can be eliminated from the first search, as it doesn't have any effect. Second, unless you have set the source name, you probably want to search for source="*gateway.backend.log" (using a wildcard).

How do I only run a search if another search generates results

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases