Alerting

How can I send a list of items to an alert?

voninski
New Member

I have the following search:

index=* sourcetype=HAI  | transaction name=grouped_events | search currentStatusText != "" | stats first(currentStatusText) as DisplayValue by name | search DisplayValue = "[NOT READY]"  The attached screenshot show you my results.

NOT READY means that something is open in my house (the search is against my home security system)
alt text

I would like to run this search on a scheduled basis and send the list of 'names based on 'not ready' .

How can I send a list of items like this to an alert? Do I have to build a concatenated string? Or is there a way to send a list like this to an alert?

I have not yet been able to find an example to do this.

Thank you.

Rich

0 Karma
1 Solution

somesoni2
Revered Legend

Use info from this link to setup your search as alert

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Definescheduledalerts

Use this link to setup the Email notification and make sure to configure 'Include' with option "Inline results formatted as a table, raw events, or CSV file"

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Emailnotification

View solution in original post

0 Karma

somesoni2
Revered Legend

Use info from this link to setup your search as alert

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Definescheduledalerts

Use this link to setup the Email notification and make sure to configure 'Include' with option "Inline results formatted as a table, raw events, or CSV file"

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Emailnotification

0 Karma

voninski
New Member

Inline table doesnt work well with cellphone text messages. I need to just provide the names of all items to the cellphone in a text message.

If it was just an email - inline table would work fine.

Any idea of how to do this for a cellphone. As i was thinking - maybe building a concatenated string?

0 Karma

somesoni2
Revered Legend

You can merge all name into one string like this

index=* sourcetype=HAI | transaction name=grouped_events | search currentStatusText != "" | stats first(currentStatusText) as DisplayValue by name | search DisplayValue = "[NOT READY]" | stats values(name) as name delim="," | nomv name 

voninski
New Member

B-I-N-G-O!! Thats exactly what i'm looking for!!

TY

0 Karma

ppablo
Retired

Glad you found your answer :slightly_smiling_face: Don't forget to upvote @somesoni's comment for helping you out.

Cheers!

Patrick

0 Karma

voninski
New Member

I would like to send this as an alert to a cellphone via text message. Which is why the inline table doesn't work well.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...