- Implementing Splunk(Second Edition)
- Vincent Bumgarner James D. Miller
- 391字
- 2025-04-04 20:51:35
Saving searches for reuse
As an example, let's build a search query, save it (as a report), and then make an alert out of it. First, let's find errors that affect mary, one of our most important users. This can simply be the query mary error. Looking at some sample log messages that match this query, we see that some of these events probably don't matter (the dates have been removed to shorten the lines).
ERROR LogoutClass error, ERROR, Error! [user=mary, ip=3.2.4.5] WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3] ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1] WARN LogoutClass error, ERROR, Error! [user=mary, ip=1.2.3.4] DEBUG FooClass error, ERROR, Error! [user=mary, ip=3.2.4.5] ERROR AuthClass Nothing happened. This is worthless. Don't log this. [user=mary, ip=1.2.3.3]
We can probably skip the DEBUG messages; the LogoutClass messages look harmless, and the last message actually says that it's worthless. mary error NOT debug NOT worthless NOT logoutclass limits the results to:
WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3] ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1]
For good measure, let's add the sourcetype field and some parentheses.
sourcetype="impl_splunk_gen" (mary AND error) NOT debug NOT worthless NOT logoutclass
Another way of writing the same thing is as follows:
sourcetype="impl_splunk_gen" mary error NOT (debug OR worthless OR logoutclass)
So that we don't have to type our query every time, let's go ahead and save it as a report for quick retrieval.
First, choose Save As…, and then, Report.
The Save As Report window appears.
Enter a value for Title, in our case, errors affecting mary. Optionally, we can add a short description of the search. The time range is filled in based on what was selected in the time picker, and we decide to include the Time Range Picker in the saved report. Click Save.
Once we see the preceding window (Your Report Has Been Created), we click on Permissions and see the Edit Permissions window:
For Display For, let's click on App (rather than the default Owner, as shown in the preceding screenshot):
Next, we'll check Read for all user roles except for power, since we know that certain users in our Splunk environment are members of this group (including our friend mary). Finally, we can click Save.
The search report is then available under Reports:
Selecting search/report from the menu runs the search using the latest data available.