Alerting

How do we convert the result from stats to raw event data?

syazwani
Path Finder

Hi peeps,

I would like to trigger an alert from Splunk and send the alert to a third-party app. The third party-app can only receive and parse data by raw events. 

I create the alert using the 'stats' command which generating a statistic, which means the alert are send is a  statistic to the 3rd party app. How do we send the raw event from the statistic data as an alert?

Please help.

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Without more details it is difficult to say, but perhaps you could use eventstats to add the statistics to the raw events and use the where command to remove the events which don't have the required stat, leaving you with just the events you are interested in.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Without more details it is difficult to say, but perhaps you could use eventstats to add the statistics to the raw events and use the where command to remove the events which don't have the required stat, leaving you with just the events you are interested in.

0 Karma

syazwani
Path Finder
index=abc to!="" from!="" src_type=int
| stats dc(to) as "RC" by from
| eval True=if('RC'>1, "True", "False")
| table from, RC, True
| where True="True"
| sort - RC
| fields - True
| rename from as User, RC as "Recipient Count"

 is here the sample of the query. could you please help to edit the query?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=abc to!="" from!="" src_type=int
| eventstats dc(to) as "RC" by from
| eval True=if('RC'>1, "True", "False")
| table _raw, from, RC, True
| where True="True"
| sort - RC
| fields - True
| rename from as User, RC as "Recipient Count"
0 Karma

syazwani
Path Finder

The 'eventstats' command will display raw event in table. But what if, we want to display data by event tab but using 'stats' command as we need to calculate events. 

For example, the result of this query shows the under event tab;

`get_index` `get_sourcetypes` `ct_hostinfo` 
| head

 Do we have any ways to display the alert result as above result which the query consist of 'stats' command (which by default it will display the result in table)?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am unclear what your requirement is here. You mentioned an alert. An alert is essentially triggered by the results of a search in a report. If you use stats in the report, you will only have the aggregated results of the statistics. If you use eventstats, you can preserve the events whilst adding the aggregated statistics to them.

You also mentioned a third-party application; without know which third-party application you are referring to, it is difficult to say how you might integrate you alert with it, but I would hope that the application would be flexible enough to deal with whatever events you send it, and not be constrained to only dealing with raw events. Even so, if you use eventstats to determine whether there is something worth sending to the third-party application, you can always remove the aggregated stats from the report prior to sending to the third-party application.

How the stats table and events view fits into this is unclear; are you intending to display the results of the report in a dashboard as well as using them in the alert?

0 Karma

syazwani
Path Finder

Hi @ITWhisperer, thank you for helping me with this issue. I thought the format of the output would be an issue when sending the alert to the 3rd party app. As you say, the problem was the 3rd party application that were not be able to integrate the Splunk output. Thank you again!

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...