topic Re: Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket? in All Apps and Add-ons

Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket?

sallyanntracy — Fri, 29 Dec 2017 19:34:31 GMT

We're using Splunk App for VMware to monitor and ticket our ESXi hosts & guests. We want to have helpful verbiage appear in the ticket based on the results of the alert search. Can we write that into a search instead of in the ticketing code?

Alert: VMW ESX Server Disconnected

Condition: return #connectionState# != "connected" && #virtualMachinesPoweredOnCount# > 0

Verbiage:
Virtual Machines Powered On. ESX Server @name disconnected from the Virtual Center while @vmcount virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center.

Re: Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket?

micahkemp — Sun, 31 Dec 2017 17:33:47 GMT

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."