topic Re: How to add multiple rows while creating Incident through splunk in Dashboards & Visualizations

How to add multiple rows while creating Incident through splunk

aditsss — Wed, 31 Mar 2021 14:12:46 GMT

Hi Everyone,

I have one requirement.

I am creating Incident through splunk alerts using SAHARA.

This issue I am facing is:

Below is my query:

index=abc ns=xyz|stats count by app_name|eval f1="khus"

The result of the query is this:

app_name f1

abc khus

xyx khus

But when I creating incident I am only getting first row in my incident not the second row

I have passed like this in unique ID

$result.app_name$ $result.f1$

Can someone guide me on this

Re: How to add multiple rows while creating Incident through splunk

manjunathmeti — Wed, 31 Mar 2021 14:29:06 GMT

hi @aditsss,

You can set Trigger to For each result under Trigger Conditions on the alert edit page.

If this reply helps you, a like would be appreciated.

Re: How to add multiple rows while creating Incident through splunk

aditsss — Wed, 31 Mar 2021 15:31:46 GMT

@manjunathmeti

In this way 2 Incidents are created for each row.

I want only one Incident should be there and 2nd should be append to it.

Because they are from the same result .

Can you guide me is that possible

Re: How to add multiple rows while creating Incident through splunk

manjunathmeti — Wed, 31 Mar 2021 15:36:21 GMT

You can attach results as csv file OR make fields multivalued so that all the events fit into on erow.

index=abc ns=xyz | stats count by app_name | eval f1="khus" | stats values(*) as *

Re: How to add multiple rows while creating Incident through splunk

aditsss — Wed, 31 Mar 2021 15:41:55 GMT

@manjunathmeti

I cant use csv or I can append result in single row because these are Exception messages and ol will be different.

There could be 15 rows also.

Is there any way that if search alert result in 5 rows

one incident will be created and all the 5 rows will be appended to it.

Is any functionality there .

Re: How to add multiple rows while creating Incident through splunk

manjunathmeti — Wed, 31 Mar 2021 15:48:39 GMT

Yes you can, try this:

Re: How to add multiple rows while creating Incident through splunk

aditsss — Wed, 31 Mar 2021 16:10:31 GMT

@manjunathmeti

I tried with this query as well:

I am still getting 3 rows

Re: How to add multiple rows while creating Incident through splunk

manjunathmeti — Wed, 31 Mar 2021 16:13:40 GMT

Post some data if you don't get result as you expect.

Re: How to add multiple rows while creating Incident through splunk

aditsss — Wed, 31 Mar 2021 16:31:16 GMT

@manjunathmeti

with this query also I am getting 3 rows.

Is that possible that I can create one incident and then append rest of the rows in it.

Re: How to add multiple rows while creating Incident through splunk

aditsss — Thu, 01 Apr 2021 08:20:59 GMT

@manjunathmeti

I want like if 2 rows are coming in search result for alert then both rows should come in same incident

Suppose these are the result I am getting:

F1 appname

k d

c g

Then when creating incident in uniquefield when I type $result.F1$ $result.appname$

Then both F1 and appname should come on same incident

But currently I am getting only one in incident

Can you guide me on this