Below query gives the results like :
index=* | stats values(SERVICENAME) as SERVICE by HOST
HOST SERVICE
----- ------
h1 s1
s12
h2 s2
s23
h3 s3
s56
h4 s4
h5 s4
When i use the sendemail command to send this as alert it gives :
index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="xx" ...
HOST SERVICE
----- ------
h1 s1
h2 s2
h3 s3
h4 s4
h5 s4
I am missing the complete results from my stats command. Please advise that i need to change 'sendmail.py' file to get complete results ?
Looks like you are having some issue with it being a multi value situation. I would either us mvexpand to make results one to one per line before emailing. Or put it in a dashboard then schedule an email report such as pdf format of that dashboard on a schedule.
If that behaviour only occurs with a particular sourcetype it's probably best to post some sample data along with the configuration for that sourcetype.
Also, it works for me with some other sourcetype. but , the one that i am facing issue is with UDP data.
Also I am extracting SERVICE values using FIELD-EXTRACTOR
I don't think that should be a problem for Splunk. Anyway when i stat the results it shows properly all the values of the SERVICE , but when I do the | sendemail it somehow skips.
Strange behavior.
Even odder 😞 the stats
calls are identical except for different field names, so something more sneaky must be going on.
Hi,
I got the results in one row separated with space for the _internal query .
But , i still face the same issue for my search query, it takes only 1 value of the SERVICE , it skips the remaining values.
Odd, the only difference I see is format=html
, but that's the default value.
Are you seeing the same issue with the _internal
query I posted above?
i am using version 6. I am using the below search query. It doesnt give all the values of SERVICENAME.
index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="xx@x.x" format=html subject=myresults sendresults=true smtp="smtp.xxx.com"
I don't seem to be able to reproduce that... if I do this:
index=_internal | stats values(source) by sourcetype | sendemail to=me@me.me server=myserver subject=mvtest sendresults=true
I get all values of the multivalue field for the sources, just not in two rows like in the Splunk result without sendmail
but rather in one row separated by a space:
sourcetype values(source)
...
splunkd /opt/splunk/var/log/splunk/metrics.log /opt/splunk/var/log/splunk/splunkd.log
...
Are you doing anything differently? What version are you on?