- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to adjust my alert to provide results with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to adjust my alert to provide results with each record on a separate line?
I am trying to adjust my alert to provide results with each record on a separate line. I have the following search string that counts the total records and does a subtotal. If it goes over a certain amount of records for that hour, it triggers an alert. The problem is that it does not separate each record as it should. Can someone please assist?
sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=if(isnull(file),directory,file)|eval Type=if(isnull(file),"Directory","File") | stats count list(Object) as whatchanged by user, operation, machine_source | rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -count | search count>100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason why you get all the What_Changed values all in one line is due to usage of list aggregation in your stats. It creates a multivalued fields with all the values of the Object field and the csv output in the alert doesn't support multiline output. I would suggest to use Inline table option instead of csv attachment in your email alert (See this. OR use following query for your alert.
sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=coalesce(file,directory)|eval Type=if(isnull(file),"Directory","File") | stats count by user, operation, machine_source Object | eventstats sum(count) as total by user, operation, machine_source | search total>100| rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -total - count
OR
sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=if(isnull(file),directory,file)|eval Type=if(isnull(file),"Directory","File") | stats count list(Object) as whatchanged by user, operation, machine_source | search count>100 | rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -count | mvexpand What_Change
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you provide more information when you say " it does not separate each record as it should"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, yes I can. What I expect the output to be is a report/alert providing the results by summarizing all of the records so that I can have a total count. However, I would like to see each record separated instead all of them merged into what it appears to be a single cell. See below
Perhaps there is a way to hard code grid lines in the results?
Current output:
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352 & 5704- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352 & 5352- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352 & 5352- 5800 Double Contingency.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Remedy Open BVL-C A Wall.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Double Contingency.idv
Preferred output:
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352 & 5704- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352 & 5352- 5800-Remedy Open Lake Bryan-KISOSPK+ARP-HORD+CLAY-PH.idv
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2883-5352 & 5352- 5800 Double Contingency.idv D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Remedy Open BVL-C A Wall.idv
D:\Data\Public\Engineering\DB2015\LR_15Study\P6Lines-remedies\rcd from KUA-8-9-15\KUA Remedies\21s-Remedy\2882-7431 & 5352-5353-Double Contingency.idv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well thats odd, the current output really does not separate each record. Let me know if you understand though.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
