In need of search string examples for:
**Desired outcome:**
Alert that shows N events in M amount of time or the lack of N events in M amount of time.
-For alert be to within parameters to qualify as BatchModeSearch
**Requirements for batch mode search**
Transforming searches that meet the following conditions can run in batch mode.
- The searches need to use generating commands like search, loadjob, datamodel, pivot, or dbinspect.
- The search can include transforming commands, like stats, chart, and so on. However the search cannot include commands like localize and transaction.
- If the search is not distributed, it cannot use commands that require time-ordered events, like streamstats, head, and tail.
- Confirm whether or not a search is running in batch mode by using the Search Job Inspector. Batch mode search is indicated by the boolean parameter isBatchModeSearch.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Configurebatchmodesearch
↧