How do I show the source file and host for a searc...

cj039165 · ‎07-27-2016

I have an alert set up that will send an email to a group of individuals when we get responses from a payer with AAA*Y**41 in it. What I would like to include is the source file this string was found in and, if possible, the Host it was found on. It's possible this could show up in 226 different files. I can't email the raw data, it contains personal health information.

Search :

index=hdx_payer source="/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/*_Receive.log" | regex "AAA\*Y\*\*41\*"

Thanks

JDukeSplunk · ‎07-27-2016

It should be something like this:

    index=hdx_payer source="/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/*_Receive.log"
 | regex "AAA*Y**41*"
 | stats count(source) as COUNT by source host

This should give you a table that shows the number of hits per source file, per host.

pradeepkumarg · ‎07-27-2016

Is this what you are looking for?

index=hdx_payer source="/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/*_Receive.log" | regex "AAA\*Y\*\*41\*"  | table host, source

How do I show the source file and host for a search result in email alerts?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes