Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Declare a Variable in Search?

skoelpin
SplunkTrust
SplunkTrust
‎03-17-2015 08:39 AM

I have a query which returns back response times that are greater than 5 seconds.. I then set an alert to email me whenever the response time was greater than 5 seconds. Below is a search which returned a web service (GetDeliveryScheduleRequest) request which had a response time greater than 5 seconds. I would like the alert to have the web service name (in this example its GetDeliveryScheduleRequest) in the title of the email so I'm able to know quickly which web service is having issues. 

INFO  2015-03-17 10:16:01,298 5834531ms spatchMessageInspector fterReceiveRequest - Request Record : |a8965c93-9e0a-435f-8471-219febc75e4b | <GetDeliveryScheduleRequest xmlns="http://tempuri.org/">
  <DeliveryType></DeliveryType>
  <EndDate>2015-06-15T04:00:00.486+00:00</EndDate>
  <RegionalInfo>

So how can I declare the request as a variable and reference it in the alert title? If there's an easier way, please advise

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎03-17-2015 10:45 PM

You should be able to reference any field which is returned as a part of the results of your alerts query.

There is an example setup on the docs

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎03-17-2015 10:45 PM

You should be able to reference any field which is returned as a part of the results of your alerts query.

There is an example setup on the docs

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-18-2015 11:06 AM

This is exactly what I was looking for.

My last question is where would I define 'GetDeliveryScheduleRequest' as a token?

I have 7 other web service calls, do I have to define each of them?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-18-2015 11:18 AM

This is what you need.
1) format you search to return fields that you like to display , may be like this (assuming WebServiceName is an extracted field)

your search with ResponseTime filter | table WebServiceName,_raw

2) Since, your alert search can return multiple events, I believe you'd setup a "per result alert".
3) In Email alert setup, use the token $result.WebServiceName$ so add web service name in subject.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-18-2015 11:56 AM

Thanks for the help..

I did a field extraction in my search to pull all the calls which is called 'Call5' and that works as expected.

Previously I had in the Subject 'Splunk Alert: $name$'.. I then took your suggestion and changed it to 'Splunk Alert: $result.Call5$' and nothing is showing up now.

Any other suggestion?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...