I've tried triggering 'Once' and 'For each result', and in both cases I see only one result in the POST body send via the webhook. I've included an example below.
I was hoping for either all results, so that I could count them, or better yet a count of results. Is this possible?
{
"app": "search",
"owner": "emailaddress@adomain.com",
"search_name": "Alert Name",
"results_link": "http://a.pointless.url/that/doesn%27t/work",
"sid": "scheduler_ZGF2aWQuZ2FyZEBsYW5kbWFyay5jby51aw__search__RMD5decc55088fa60070_at_1535711100_37050",
"result": {
"splunk_server_group": "",
"_eventtype_color": "",
"_cd": "4:960",
"_serial": "0",
"_sourcetype": "httpevent",
"_bkt": "my-index-name~4~98B5C0B4-EAAF-4B7C-9775-56A8E159035D",
"_time": "1535710877",
"splunk_server": "splunk.adomain.com",
"_kv": "1",
"_indextime": "1535710877",
"source": "my-index-name",
"eventtype": "",
"_raw": "This is a test, everything is really fine.",
"host": "splunk.adomain.com",
"index": "my-index-name",
"_si": [
"splunk.adomain.com",
"my-index-name"
],
"punct": "__-_",
"sourcetype": "httpevent",
"linecount": "1"
}
}
All I had to do here was return a count from the search, as opposed to the full results of the search.
index="my-index-name" THIRD_PARTY_ERROR | stats count as total
All I had to do here was return a count from the search, as opposed to the full results of the search.
index="my-index-name" THIRD_PARTY_ERROR | stats count as total
Hi, what is the search you're using?
I'm using a basic search, simply searching for any events with an occurrence of "THIRD_PARTY_DOWN" within a single index.
index="my-index-name" THIRD_PARTY_ERROR
May I ask, how do you think that will affect the POST body sent by a webhook?
I thought, you want to include total number of events (like count
in the example below) in your results. Please correct me if I misunderstood your question.
{
"result": {
"sourcetype" : "mongod",
"count" : "8"
},
"sid" : "scheduler_admin_search_W2_at_14232356_132",
"results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132",
"search_name" : null,
"owner" : "admin",
"app" : "search"
}
Yep, looks like that worked. Thanks.
Yes, that's the idea. I think I may have figured this out - I can append " | stats count as total" to my saved search, and that should hopefully do the job - will update when I've tested.
Yes. I was about to suggest the same. Append your search with stats to produce count.