Hello,
I have search
index=* ERROR | eval svc=mvindex(split(index,"-"),4) | stats count(svc) as cnt_svc by svc,source | where cnt_svc > 10
and my result can be for multiple services or for single service:
svc source cnt_svc
accounts /data/errors.log 120
accounts /data/system.log 23
users /data/system.log 34
orders /data/errors.log 83
or
svc source cnt_svc
accounts /data/errors.log 120
accounts /data/system.log 23
My email subject line has to be "Splunk errors for 3 services" in the 1st case or "Splunk errors for accounts" in the 2nd case.
Is it possible to do it?
Thank you.
Add this line to your search:
| eventstats count as totalcount
Now you should have an additional column "totalcount", which is 4 in this example:
svc source cnt_svc totalcount
accounts /data/errors.log 120 4
accounts /data/system.log 23 4
users /data/system.log 34 4
orders /data/errors.log 83 4
Now change the email subject line of your alert to:
Splunk errors for $result.totalcount$ services