Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add custom fields to the alert?

kkawatra
Explorer
‎08-02-2022 04:24 PM

Hi,

 

We are looking to add a custom field to our alerts to BigPanda. Is there a way to add fields natively or a workaround done by any Splunk users?

 

Thanks,

Kay

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-04-2022 12:04 AM

Hi @kkawatra,

as @ITWhisperer said, you have two ways to add custom fields to your search:

  • eval command, if you have few and fixed values to add,
  • lookup if you have many or variable values to add.

some sample to better understand:

if you have to add e.g. the name of the customer, you could add:

| eval customer="customer1"

in this way all the events will have this fixed field.

If you would e.g. add the location of a server taken from a lookup called perimeter.csv, you have to find a key (e.g. "host") and all the lookup command:

<your_search>
| lookup perimeter.csv host OUTPUT location
| table _time <all_your_fields> location

In additio, if you need to have fixed names for the fields, you could use the "rename" command.

If you aren't expert in SPL, you could follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial) that theaches you about SPL.

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

kkawatra
Explorer
‎08-03-2022 02:55 PM

Hi @gcusello,

Thank you for the response. 

First of all I'm new to Splunk, so pardon my lack of knowledge. 

Second, I want to say adding custom fields to the results

The idea is to send splunk alerts to BigPanda. But for BigPanda to accept those alerts and further move along to create ticket and attach any TSGs, its looking for very specific fields. So, I was wondering if we can send the payload with custom fields via webhook or we can send it over BigPanda integration(preferred).

 

Thanks,

Kay 

0 Karma
Reply
Solved! Jump to solution

Siddharth
Path Finder
‎08-05-2022 06:30 AM

No you can't do this by default for this you have to create your own custom alert app. I would recommend use this custom add-on app it will help you to create the alert addon 

https://splunkbase.splunk.com/app/2962/ 

also have a look on this video it will help you 

https://www.youtube.com/watch?v=UqJAc7rpFmQ&t=185s

 

Let me know if it helps 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-04-2022 12:04 AM

Hi @kkawatra,

as @ITWhisperer said, you have two ways to add custom fields to your search:

  • eval command, if you have few and fixed values to add,
  • lookup if you have many or variable values to add.

some sample to better understand:

if you have to add e.g. the name of the customer, you could add:

| eval customer="customer1"

in this way all the events will have this fixed field.

If you would e.g. add the location of a server taken from a lookup called perimeter.csv, you have to find a key (e.g. "host") and all the lookup command:

<your_search>
| lookup perimeter.csv host OUTPUT location
| table _time <all_your_fields> location

In additio, if you need to have fixed names for the fields, you could use the "rename" command.

If you aren't expert in SPL, you could follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial) that theaches you about SPL.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

kkawatra
Explorer
‎08-05-2022 08:46 AM

This worked, thanks @gcusello 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-03-2022 11:44 PM

An alert is triggered by conditions being satisfied by the results of a search - the search can contain additional fields (as @gcusello says) simply by using, for example, the eval command or lookup command.

Start by creating a search that produces the results you want in your alert.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-02-2022 11:53 PM

Hi @kkawatra,

your question is just a little vague!

In general, answer is yes.

Could you better describe your request?

  • are you speaking of fields from the search of from a lookup?
  • are you speaking of fixed fields?
  • are you speaking of adding custom fields to the results  or to the message?

in other words, please share your search and better describe your request.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...