Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can stats be in the subject of an alert-generated e-mail?

unitedmarsupial
Path Finder
‎12-09-2019 09:30 AM

We have an alert, that checks for a particular condition (Oracle-errors) across multiple indexes:

(index=HOP OR index=FOO OR index=BAR) AND Description=ORA-*

The e-mail is sent to multiple people. I'd like the subject of the e-mail generated to contain the output of stats sum(count) by index -- to help people responsible for the different applications prioritize their work... Can things like this be done?

Update: I attempted to follow the advice by @aberkow adding the last line like this:

....
| eval App=upper(index) 
| fields App, _time, Description, source
| stats sum(count) as incidence by App

And then adding $result.incidence$ to the subject. Unfortunately, this did not add the actual counts to the Subject. Worse, the body of the e-mail -- instead of listing the four fields specified, now lists only two columns: the App and the incidence. And the latter column is empty...

0 Karma
Reply

aberkow
Builder
‎12-09-2019 10:53 AM

Do you mean something like this? https://answers.splunk.com/answers/785739/is-it-possible-to-have-a-token-in-the-saved-search.html#an...

I think you're saying that you want to add in a token in the subject, which is super doable

| stats sum(count) as countOfWhatever by index

Subject: $result.countOfWhatever$ unindexed or unsupported or...

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens: for the same info linked in that other question!

Hope this helps

0 Karma
Reply

unitedmarsupial
Path Finder
‎12-09-2019 11:18 AM

Thanks.That removed all of the events from the e-mail's body -- replacing them with the incidence per index. Can I keep the alert-body as it was, but still have the per-index summary in Subject?

0 Karma
Reply

aberkow
Builder
‎12-09-2019 11:42 AM

Good call out - I made the update. That's interesting, what is in your alert-body before? Was it also a token? It shouldn't have affected it, although most of the time I just send $results_link$ as a best practice.

0 Karma
Reply

unitedmarsupial
Path Finder
‎12-09-2019 01:12 PM

The alert used to contain a table of all of the detected oracle-errors -- four fields enumerated in my question. Now it contains only two fields: the App and the incidence. And the second column is empty...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...