topic Re: Can stats be in the subject of an alert-generated e-mail? in Splunk Search

Can stats be in the subject of an alert-generated e-mail?

unitedmarsupial — Mon, 09 Dec 2019 17:30:09 GMT

We have an alert, that checks for a particular condition (Oracle-errors) across multiple indexes:

(index=HOP OR index=FOO OR index=BAR) AND Description=ORA-*

The e-mail is sent to multiple people. I'd like the subject of the e-mail generated to contain the output of stats sum(count) by index -- to help people responsible for the different applications prioritize their work... Can things like this be done?

Update: I attempted to follow the advice by @aberkow adding the last line like this:

....
| eval App=upper(index) 
| fields App, _time, Description, source
| stats sum(count) as incidence by App

And then adding $result.incidence$ to the subject. Unfortunately, this did not add the actual counts to the Subject. Worse, the body of the e-mail -- instead of listing the four fields specified, now lists only two columns: the App and the incidence. And the latter column is empty...

Re: Can stats be in the subject of an alert-generated e-mail?

aberkow — Mon, 09 Dec 2019 18:53:34 GMT

Do you mean something like this? https://answers.splunk.com/answers/785739/is-it-possible-to-have-a-token-in-the-saved-search.html#answer-784991

I think you're saying that you want to add in a token in the subject, which is super doable

| stats sum(count) as countOfWhatever by index

Subject: $result.countOfWhatever$ unindexed or unsupported or...

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens: for the same info linked in that other question!

Hope this helps

Re: Can stats be in the subject of an alert-generated e-mail?

unitedmarsupial — Mon, 09 Dec 2019 19:18:21 GMT

Thanks.That removed all of the events from the e-mail's body -- replacing them with the incidence per index. Can I keep the alert-body as it was, but still have the per-index summary in Subject?

Re: Can stats be in the subject of an alert-generated e-mail?

aberkow — Mon, 09 Dec 2019 19:42:57 GMT

Good call out - I made the update. That's interesting, what is in your alert-body before? Was it also a token? It shouldn't have affected it, although most of the time I just send $results_link$ as a best practice.

Re: Can stats be in the subject of an alert-generated e-mail?

unitedmarsupial — Mon, 09 Dec 2019 21:12:19 GMT

The alert used to contain a table of all of the detected oracle-errors -- four fields enumerated in my question. Now it contains only two fields: the App and the incidence. And the second column is empty...