Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I send the number of results OR all search results via a webhook triggered by an alert?

dgard
Explorer
‎08-31-2018 03:36 AM

I've tried triggering 'Once' and 'For each result', and in both cases I see only one result in the POST body send via the webhook. I've included an example below.

I was hoping for either all results, so that I could count them, or better yet a count of results. Is this possible?

Example result

{
    "app": "search",
    "owner": "emailaddress@adomain.com",
    "search_name": "Alert Name",
    "results_link": "http://a.pointless.url/that/doesn%27t/work",
    "sid": "scheduler_ZGF2aWQuZ2FyZEBsYW5kbWFyay5jby51aw__search__RMD5decc55088fa60070_at_1535711100_37050",
    "result": {
        "splunk_server_group": "",
        "_eventtype_color": "",
        "_cd": "4:960",
        "_serial": "0",
        "_sourcetype": "httpevent",
        "_bkt": "my-index-name~4~98B5C0B4-EAAF-4B7C-9775-56A8E159035D",
        "_time": "1535710877",
        "splunk_server": "splunk.adomain.com",
        "_kv": "1",
        "_indextime": "1535710877",
        "source": "my-index-name",
        "eventtype": "",
        "_raw": "This is a test, everything is really fine.",
        "host": "splunk.adomain.com",
        "index": "my-index-name",
        "_si": [
            "splunk.adomain.com",
            "my-index-name"
        ],
        "punct": "__-_",
        "sourcetype": "httpevent",
        "linecount": "1"
    }
}

My alert

  • Enabled: Yes
  • App: search
  • Permissions: Shared in App
  • Alert Type: Scheduled (Cron Schedule)
  • Trigger Condition: Number of Results is > 0
  • Actions: 2 Actions
    • Add to Triggered Alerts
    • Webhook
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dgard
Explorer
‎08-31-2018 07:32 AM

All I had to do here was return a count from the search, as opposed to the full results of the search.

index="my-index-name" THIRD_PARTY_ERROR | stats count as total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dgard
Explorer
‎08-31-2018 07:32 AM

All I had to do here was return a count from the search, as opposed to the full results of the search.

index="my-index-name" THIRD_PARTY_ERROR | stats count as total
0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-31-2018 05:23 AM

Hi, what is the search you're using?

0 Karma
Reply
Solved! Jump to solution

dgard
Explorer
‎08-31-2018 05:48 AM

I'm using a basic search, simply searching for any events with an occurrence of "THIRD_PARTY_DOWN" within a single index.

index="my-index-name" THIRD_PARTY_ERROR

May I ask, how do you think that will affect the POST body sent by a webhook?

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-31-2018 07:06 AM

I thought, you want to include total number of events (like count in the example below) in your results. Please correct me if I misunderstood your question.

{

    "result": {
        "sourcetype" : "mongod",
        "count" : "8"
    },
    "sid" : "scheduler_admin_search_W2_at_14232356_132",
    "results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132",
    "search_name" : null,
    "owner" : "admin",
    "app" : "search"
}
0 Karma
Reply
Solved! Jump to solution

dgard
Explorer
‎08-31-2018 07:32 AM

Yep, looks like that worked. Thanks.

0 Karma
Reply
Solved! Jump to solution

dgard
Explorer
‎08-31-2018 07:09 AM

Yes, that's the idea. I think I may have figured this out - I can append " | stats count as total" to my saved search, and that should hopefully do the job - will update when I've tested.

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-31-2018 07:12 AM

Yes. I was about to suggest the same. Append your search with stats to produce count.

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...