Alerting

How to get Alert Webhook to send entire contents of stats table in one POST

TomSemple
Loves-to-Learn

I have set up an Alert for a stats expression like this:

 

| stats element_name count

 

 This is triggered each time the Alert was scheduled to give a summary of certain events.

However, if Trigger is set to Once, I only get the first row. If I set it to For each result, then I get one POST per row. This gets the data over, but the receiver then needs to put these separate things back together (e.g. by matching SID or some such), I'd rather they were all sent in the same package to begin with.

Is there some expression (say using eval) that I can add that would convert the table into a single item that would be returned when Trigger is sent to Once, e.g.:

 

"result: {
  "table": "{'thing_1': 387, 'thing_2': 88}"
}

 

 

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
| stats element_name count

Is not valid SPL.  If you just want to show the values in fields then use the table command.

| table element_name count

To see counts for each element name, try this

| stats count by element_name

Both commands will produce a table of values that should be included in the alert.

---
If this reply helps you, Karma would be appreciated.
0 Karma

TomSemple
Loves-to-Learn

You are of course correct about the syntax for stats; that is the syntax I'm using. 

I do want to see counts of each value that element_name takes, so the table command is not useful.

I still want to see if there's a way to convey the information in the stats in a single webhook POST (i.e. Alert fires Once per alert schedule), without building a custom event trigger action.

In case I wasn't clear, in this case the POST contains only one row of the stats. If Alert is set to Once, only the first row is sent. If alert is set to For each result, then there's a POST for each row.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...