Refine your search:

Can one scheduled saved search trigger another saved search?

6
1

Is is possible to setup an alerting condition on a scheduled saved search what would turn around and launch another saved search?

This may seem like a weird request, but here are some scenarios I've come across this week where I think such a function may be helpful. Or perhaps an better alternative is out there. Either way, I'm looking for ideas.

Scenarios

  1. A firewall is reporting a large number of errors from a PPTP session. Unfortunately, the repeating error messages only contain a pid value which has to be crossed referenced with other events to get other relevant fields (username, local_ip, remote_ip,...). What would be nice is to have one scheduled saved search that looks for this scenario, which would then trigger another more-detailed saved search that reports the full-detail via an email alert action. (This second saved search is not scheduled, it is only run on demand.) That way, the heavy-duty (more resource intensive) search only runs on an as-needed basis, which is triggered by a lighter-weight regularly scheduled search.
  2. A business critical process is preforming poorly. We have tons of alerts around this process already, so adding more isn't the solution. However, it would be helpful to send a PDF copy of a post-poor-performance-analysis view summarizing the problems. We could schedule delivery of this report, but we don't want the overhead of generating it when it's not needed, and even more importantly, if the report is emailed out daily (irregardless of whether there were performance problems or not) then the recipients will simply learn to ignore it. (It seems to be human nature). I would like to have one scheduled search that evaluates the overall performance and when the conditions are right, launch the PDF view sending mechanism. Perhaps this is currently possible with the existing view delivery mechanism I'm not sure.

I've thought of a few ways to jerry-rig this, but nothing stands out as a good idea at the moment. If there is a way to use an triggered action script to make an API call to splunkd to setup a scheduled savedsearch to run just once, or a "run-now" mode that could probably do the trick.

The thing I like about having one scheduled saved search trigger another saved search is that such a mechanism could be done from within the scheduler and could therefore be managed and controlled by it.

Any thoughts or ideas?

Update:

Since I really haven't received any helpful feedback on this, and I'm not very good at sitting still, I've started working on my own solution to this problem by attempting to create a custom alerting action which will run a custom search command, which in turn will trigger the execution of a secondary saved search.

I've run into an issue getting the custom alerting action working, but again I'm just trying to figure out what I can based on existing config files.

I've had some success getting a custom search command to launch a saved search, but I've run into an bug that prevents the authentication session key from being usable by a search command.

asked 28 May '10, 15:55

Lowell's gravatar image

Lowell ♦
11.1k81289
accept rate: 41%

edited 20 Aug '10, 05:55

Justin%20Grant's gravatar image

Justin Grant
1.7k181860
2 Answers:
oldestnewestmost voted
3

I have published an app that gives me the functionality that I'm looking for:
http://www.splunkbase.com/apps/All/4.x/app:RunSavedSearch+alert+action

link

answered 05 Aug '10, 18:31

Lowell's gravatar image

Lowell ♦
11.1k81289
accept rate: 41%

edited 20 Aug '10, 05:52

Justin%20Grant's gravatar image

Justin Grant
1.7k181860
1

This sounds like you want to use conditional alerting:

http://www.splunk.com/base/Documentation/latest/user/SetAlertConditionsFromScheduledSearches

link

answered 28 May '10, 17:24

Simeon's gravatar image

Simeon ♦
4.1k91034
accept rate: 26%

edited 29 Jul '10, 18:58

the_wolverine's gravatar image

the_wolverine ♦
5.2k162084

Yes, that is correct. I do want to use conditional alerting. But I want to use it in a way that is not coved in the docs. I would like to use a conditional alert that runs a secondary saved search and I want that secondary search to actually be the search that launches the alerting action. Perhaps my question was unclear.

(28 May '10, 19:10) Lowell ♦

This is very interesting.

Whould there be a way to abort the search execution without raising an error? Because you could then add a custom search command which, in case reads zero-input results, aborts the search. Something like this:

"lightsearch" | abortonnoresults | search "heavysearch" | ...

(30 Jun '10, 17:15) Paolo Prigione

@Paolo, I was wondering that too. But the answer I received is that can't really abort a search like this. There is really no flow control mechanism provided by splunk short of the alerting condition of a saved search. See related: http://answers.splunk.com/questions/4472/can-a-search-be-terminated-prematurely-based-on-a-condition-established-within-th

(05 Aug '10, 18:31) Lowell ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×297
×247

Asked: 28 May '10, 15:55

Seen: 1,318 times

Last updated: 20 Aug '10, 05:55

Related questions

Manually Trigger Scheduled Saved Search

Scheduled Saved Search Retention

Cron schedule for saved search on last day of month

Graphing scheduled saved search results

How can I hide a saved search?

Scheduled Saved Search Limit

Splunk insists that i schedule a saved search

How to Call different saved search on radio button click

Saved Searches' unexpected behavior

Copyright © 2005-2012 Splunk Inc. All rights reserved.