- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can stats be in the subject of an alert-generated ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can stats be in the subject of an alert-generated e-mail?
We have an alert, that checks for a particular condition (Oracle-errors) across multiple indexes:
(index=HOP OR index=FOO OR index=BAR) AND Description=ORA-*
The e-mail is sent to multiple people. I'd like the subject of the e-mail generated to contain the output of stats sum(count) by index -- to help people responsible for the different applications prioritize their work... Can things like this be done?
Update: I attempted to follow the advice by @aberkow adding the last line like this:
....
| eval App=upper(index)
| fields App, _time, Description, source
| stats sum(count) as incidence by App
And then adding $result.incidence$ to the subject. Unfortunately, this did not add the actual counts to the Subject. Worse, the body of the e-mail -- instead of listing the four fields specified, now lists only two columns: the App and the incidence. And the latter column is empty...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean something like this? https://answers.splunk.com/answers/785739/is-it-possible-to-have-a-token-in-the-saved-search.html#an...
I think you're saying that you want to add in a token in the subject, which is super doable
| stats sum(count) as countOfWhatever by index
Subject: $result.countOfWhatever$ unindexed or unsupported or...
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens: for the same info linked in that other question!
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.That removed all of the events from the e-mail's body -- replacing them with the incidence per index. Can I keep the alert-body as it was, but still have the per-index summary in Subject?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good call out - I made the update. That's interesting, what is in your alert-body before? Was it also a token? It shouldn't have affected it, although most of the time I just send $results_link$ as a best practice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The alert used to contain a table of all of the detected oracle-errors -- four fields enumerated in my question. Now it contains only two fields: the App and the incidence. And the second column is empty...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
