- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- splunk scheduled search across different indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk scheduled search across different indexes
We have a search that is scheduled to run across several different,diverse index...this serach also trigger only when number of events > than x number of events ...how do we ensure that although we have a common search ...the number of events condition is satisfied only if its coming from only the same index as previous
..ie we have index a,b,c,d and we have a search that does not hardcode index and the role of the user maps to all indexes by default ...when we run a conditional search to trigger if ...how do we ensure that say trigger > 25 event count is satisfied only if we see 25 events from individual" a "index and not 25 aggregate across indexes
Appreciate !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you set your alert trigger condition, instead of using one of the pre-built conditions like "number of events", choose "custom condition" and in the custom condition, put
stats count by index | where count >= 25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could post your search, so we can review it for syntax or method issues. Or, you could test it under the conditions you specified.
From the details you posted, I can assure you that If all of the forwarders are online and latency is not a factor, then a properly configured multi index search will not affect the conditional alert.
This answer is given under the assumption that when you say "conditional search" you mean to say "conditional alert".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you clarify your answer against ..no forwarders involved ips's from different departments logging each to their own index
a simple ex : search sigid=1545 across ips logs from multiple department (aka each department has their own index" conditional alert event count > 25 ...and this cannot be triggered if event count is aggregated across all indexes but rather only if 25 event count is met from same index every time (please note user role has access setuo to search all indexes by default)
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
