Include results of another search in the body of a...

jtsplunk · ‎04-04-2016

I have an alert that fires when the hourly count is 50% greater hour over hour, this seems to be working fine:

index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=@h | stats count as LastHour | appendcols [search index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | stats count as CurrHour] | where CurrHour>1.5*LastHour

This reports the LastHour and CurrHour values, which I would like. In addition to this I would also like the report to include something like the results from this search when the alert fires:

index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | chart count over errorCode

I'm not sure how to combine these to include both of these in the report output.

somesoni2 · ‎04-04-2016

Try this as your alert search

index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=now 
| eval period=if(_time>=relative_time(now(),"@h"),"CurrHour","LastHour") | chart count over errorCode by period | eventstats sum(CurrHour) as totCurrHour sum(LastHour) as totLastHour | where totCurrHour>1.5*totLastHour

Include results of another search in the body of an alert?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor