topic Extract a field/or a single value from a scheduled alert table in Splunk Search

Extract a field/or a single value from a scheduled alert table

smhsplunk — Sun, 16 Oct 2016 23:49:56 GMT

So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)

currently it is only

<table>
<search ref="alert_objects"></search>
</table>

is it possible to search in this like

<table>
<search ref="alert_objects"> | search * host="$host_token$" 
 table total_time</search>
</table>

Re: Extract a field/or a single value from a scheduled alert table

inventsekar — Mon, 17 Oct 2016 08:25:31 GMT

<search ref="alert_objects"></search>
is not the search query.

can you copy and paste the whole xml please..
or, the <query> part.

Re: Extract a field/or a single value from a scheduled alert table

smhsplunk — Tue, 29 Sep 2020 11:26:34 GMT

The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)

index=main host="*"   
                  | transaction startswith="StartSession" endswith="EndSession" by source   
          | appendpipe [ | stats count | where count = 0 | eval duration=0]
                  | eval session_per_source = duration 
                  | stats sum(session_per_source) as total_time by host
                  | table host, total_time
                  | fillnull value=NULL

I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time

Re: Extract a field/or a single value from a scheduled alert table

somesoni2 — Mon, 17 Oct 2016 14:58:41 GMT

Try like this

Replace

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>

Re: Extract a field/or a single value from a scheduled alert table

smhsplunk — Mon, 17 Oct 2016 15:26:23 GMT

This should work but it is giving me the entire table again, seems like its ignoring this entire part

search * host="$host_token$" |  table total_time

I have

<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
  <search base="base_alert_objects">  search * host="$host_token$" |  table total_time</search>
  </table>
</panel>
</row>

Re: Extract a field/or a single value from a scheduled alert table

somesoni2 — Mon, 17 Oct 2016 15:29:24 GMT

I missed the query tag in there. Try the updated one.

Re: Extract a field/or a single value from a scheduled alert table

smhsplunk — Mon, 17 Oct 2016 15:40:06 GMT

awesome it works!