topic Re: What command to use to get the count without using transforming commands for the alert I created? in Alerting

What command to use to get the count without using transforming commands for the alert I created?

kollachandra — Wed, 28 Feb 2018 17:17:27 GMT

I have to create an alert based on the number of the events I need to define the criticality and include that in the subject of the alert. But, I am using eventstats command in my search. So, I am not able to use the fields in the alert subject or body. Please provide an alternative.

Base query

 | eval counter=case(
        (time_taken > 90000), "Count_90", 
    some switch cases
        (time_taken > 4000), "Count_4"
        ) 
    | eventstats count(eval(match(counter,"Count_90"))) as "Counter_90" count(eval(match(counter,"Count_60"))) as "Counter_60" count(eval(match(counter,"Count_30"))) as "Counter_30" count(eval(match(counter,"Count_20"))) as "Counter_20" count(eval(match(counter,"Count_15"))) as "Counter_15" count(eval(match(counter,"Count_10"))) as "Counter_10" count(eval(match(counter,"Count_4"))) as "Counter_4"
    | eval criticality = case(
        (Counter_90>5), "Critical-90s",
        Some switch cases
        (Counter_04>24), "Critical-4s",
        (Counter_4>11 AND Counter_4 <= 17), "Warning-4s"
        )
    | table criticality,Time,host,c_ip,cs_uri_stem,s_ip,s_port,sc_status,sc_substatus,time_taken

Re: What command to use to get the count without using transforming commands for the alert I created?

somesoni2 — Wed, 28 Feb 2018 17:29:44 GMT

Based on what Splunk version you're using, you should be able to use fields from your search results in your Email Subject (see this https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/EmailNotificationTokens ). Since the criticality is a field in your search result, you should be able to include it using $result.criticality$ . Please note only the first value for the specified field name from the first search result row will be added.

Re: What command to use to get the count without using transforming commands for the alert I created?

kollachandra — Wed, 28 Feb 2018 17:41:22 GMT

Our's is Splunk 7.0.2. I tried to add that way to the alert subject. But, no use. I am getting an null value. As I used eventstats is that the reason? Is there any other way to perform what I was doing using eventstats command?

Re: What command to use to get the count without using transforming commands for the alert I created?

kollachandra — Wed, 28 Feb 2018 18:59:07 GMT

I think I got it. I removed the field name from the table. I added all the filed names that I needed to use them in the alert subject and it worked. Thank you!