Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index an Event based on the results of a Splunk Query.

lpolo
Motivator
‎02-12-2013 06:10 AM

I have an custom search command. It is scheduled to run every 5min. The results are indexed in a summary index.

I need to index the results of the custom search command, if and only if, the latest indexed event is not equal to the results of the custom search command.

Example:

1) Events found in index=custom

_time field=value field_A=value

2) Run custom search command at time_1:

|custom_search_command

Results:

_time field=value field_A=value

Events should not be indexed.

3) Run custom search command at time_2:

|custom_search_command

Results:

_time field=value_y field_A=value_x

The event should be index in index=custom. Therefore, at time "time_1": there should be 2 events in the summary index:

_time field=value field_A=value
_time_1 field=value_y field_A=value_x

Can a splunk search query get the result set of the custom search command, if and only if, the value of "field and field_A" are not found in the latest event stored in index=custom?

Thanks,
Lp

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:55 AM

Something like this should work: 

| custom_search_command | append [| index=custom | head 1 | table field field_A | eval isFromSummary="1"] | stats last(isFromSummary) as isFromSummary by field fieldA | where isnull(isFromSummary)

The custom command's output is appended to the last row from your summary index. Then we use stats to roll up all the combinations of field and fieldA. If the current result is the same as the summarized result there will be only one row, it'll have isFromSummary="1", and it'll get wiped out in the last where clause. And when a search result has 0 rows and it gets written to summary, I think nothing actually gets written.

And in the cases where the two results are different, our stats command wipes away the summary result, but leaves the single row that was our custom_search_command output.

Reply

lpolo
Motivator
‎02-21-2013 08:25 AM

Thanks.
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...