Alerting

How to adjust my alert to provide results with each record on a separate line?

fmpa_isaac
Path Finder

I am trying to adjust my alert to provide results with each record on a separate line. I have the following search string that counts the total records and does a subtotal. If it goes over a certain amount of records for that hour, it triggers an alert. The problem is that it does not separate each record as it should. Can someone please assist?

sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=if(isnull(file),directory,file)|eval Type=if(isnull(file),"Directory","File") | stats count list(Object) as whatchanged by user, operation, machine_source | rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -count | search count>100

Tags (2)
0 Karma

somesoni2
Revered Legend

The reason why you get all the What_Changed values all in one line is due to usage of list aggregation in your stats. It creates a multivalued fields with all the values of the Object field and the csv output in the alert doesn't support multiline output. I would suggest to use Inline table option instead of csv attachment in your email alert (See this. OR use following query for your alert.

sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=coalesce(file,directory)|eval Type=if(isnull(file),"Directory","File") | stats count by user, operation, machine_source Object | eventstats sum(count) as total by user, operation, machine_source | search total>100| rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -total - count

OR

sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=if(isnull(file),directory,file)|eval Type=if(isnull(file),"Directory","File") | stats count list(Object) as whatchanged by user, operation, machine_source | search count>100 | rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -count | mvexpand What_Change
0 Karma

somesoni2
Revered Legend

Could you provide more information when you say " it does not separate each record as it should"?

0 Karma

fmpa_isaac
Path Finder

Hi there, yes I can. What I expect the output to be is a report/alert providing the results by summarizing all of the records so that I can have a total count. However, I would like to see each record separated instead all of them merged into what it appears to be a single cell. See below
Perhaps there is a way to hard code grid lines in the results?

Current output:

D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352  & 5704- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352  & 5352- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352  & 5352- 5800 Double Contingency.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Remedy Open BVL-C A Wall.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Double Contingency.idv

Preferred output:

D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352  & 5704- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv 
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352  & 5352- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv 
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352  & 5352- 5800 Double Contingency.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Remedy Open BVL-C A Wall.idv 
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Double Contingency.idv
0 Karma

fmpa_isaac
Path Finder

Well thats odd, the current output really does not separate each record. Let me know if you understand though.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!