How to access searchmatch count in eMail notificat...

kodaganti · ‎05-26-2016

I have the below working SPLUNK query which is being used to print the timechart. I would like to trigger an email alert on daily basis. I would like to use the same query for email alert on daily basis.

Problem : How can I access the count of each searchmatch in email notification?

I am trying to access the counts like below in Splunk alert:

'$name$' 

Status Value  :  Count

Approved : $result.string.Approved$
Declined   : $result.string.Decline$
Pending    : $result.string.Pending$
Review      : $result.string.Review$
Null            :$result.string.Null_Status$

ALL            :  $result.All$ (Should be sum of all above statues)

But it is not working.

Here is the Query:

index=dotcom sourcetype=dotcom_cc   "and applicationStatus value : *" OR "and applicationStatus value : D" OR "and applicationStatus value : R"  OR "and applicationStatus value : A" OR "and applicationStatus value : P" OR "and applicationStatus value : null"  | eval string=case(searchmatch("and applicationStatus value : D"), "Decline",  searchmatch("and applicationStatus value : R"), "Review",  searchmatch("and applicationStatus value : A"), "Approved",  searchmatch("and applicationStatus value : P"), "Pending",  searchmatch("and applicationStatus value : null"), "Null_Status") | timechart count by string

woodcock · ‎05-26-2016

First, add this to your search:

| eval All = "Decline" + "Review" + "Approved" + "Pending" + "Null_Status"

Then try this for your email:

'$name$'

Status Value:  Count
Approved:      $result.Approved$
Declined:      $result.Decline$
Pending:       $result.Pending$
Review:        $result.Review$
Null:          $result.Null_Status$

ALL:           $result.All$

How to access searchmatch count in eMail notifications

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life