How can i efficiently discard the event stream of a search?

Question

Suppose I have a search such as

sourcetype=apache errors

which finds errors that I care about. Now, suppose I want to send these errors, on certain conditions, so I want to use the alert_condition feature of savedsearches.conf. Let's say the condition I want to use is that it is not working hours -- totally unrelated to the original search. However, alert_condition is fed the event stream from the original search.

How can I efficiently dump the original stream, when needed?

The best I can come up with is

alert_condition = head 1 | where 1=2 | append [search ....]

Can this be done more neatly?

Accepted Answer

1	Apparently the 'best I could come up with' is the best we have. That should be efficient, it's just a little ugly to read. link answered 16 Feb '11, 19:18 jrodman ♦ 5.8k●2●5●15 accept rate: 42%

How can i efficiently discard the event stream of a search?

Follow this question

Splunk Resources

Related questions