- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- What command to use to get the count without using...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to create an alert based on the number of the events I need to define the criticality and include that in the subject of the alert. But, I am using eventstats command in my search. So, I am not able to use the fields in the alert subject or body. Please provide an alternative.
Base query
| eval counter=case(
(time_taken > 90000), "Count_90",
some switch cases
(time_taken > 4000), "Count_4"
)
| eventstats count(eval(match(counter,"Count_90"))) as "Counter_90" count(eval(match(counter,"Count_60"))) as "Counter_60" count(eval(match(counter,"Count_30"))) as "Counter_30" count(eval(match(counter,"Count_20"))) as "Counter_20" count(eval(match(counter,"Count_15"))) as "Counter_15" count(eval(match(counter,"Count_10"))) as "Counter_10" count(eval(match(counter,"Count_4"))) as "Counter_4"
| eval criticality = case(
(Counter_90>5), "Critical-90s",
Some switch cases
(Counter_04>24), "Critical-4s",
(Counter_4>11 AND Counter_4 <= 17), "Warning-4s"
)
| table criticality,Time,host,c_ip,cs_uri_stem,s_ip,s_port,sc_status,sc_substatus,time_taken
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I got it. I removed the field name from the table. I added all the filed names that I needed to use them in the alert subject and it worked. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I got it. I removed the field name from the table. I added all the filed names that I needed to use them in the alert subject and it worked. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on what Splunk version you're using, you should be able to use fields from your search results in your Email Subject (see this https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/EmailNotificationTokens ). Since the criticality is a field in your search result, you should be able to include it using $result.criticality$. Please note only the first value for the specified field name from the first search result row will be added.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our's is Splunk 7.0.2. I tried to add that way to the alert subject. But, no use. I am getting an null value. As I used eventstats is that the reason? Is there any other way to perform what I was doing using eventstats command?
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
