Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Custom Alert: Get Result Count and Search Query

betamx
Observer
‎12-28-2021 04:01 PM

Hi, I'm new to creating custom alert action & I'm following the documentations provided by Splunk to create this. While I've got my alert to work, however I couldn't find a mechanism to inject the following two items to my application:

  • The number of items in the search result
  • The actual search query

In my use-case I need both of them & I'm not sure how to do that. I tried following another solved answer on similar lines but this hasn't helped me so far. Here's what I did in the savedsearches.conf.:

 

.....
.....
action.tmc.param.result_count = $job.resultCount$
action.tmc.param.search_query = $job.search$
.....
.....
.....

 

I've also defined the savedsearches.conf..spec file as follows:

.....
.....
action.tmc.param.result_count = <integer>
action.tmc.param.search_query = <string>
.....
.....
.....

However in my python script, when I print out the configuration sent out, I don't see these two arguments passed. I've restarted Splunk but that hasn't helped either.

I would really appreciate if someone can please help guide me to the right direction. Thanks! 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...