Alerting

How to get Alert Webhook to send entire contents of stats table in one POST

TomSemple
Loves-to-Learn

I have set up an Alert for a stats expression like this:

 

| stats element_name count

 

 This is triggered each time the Alert was scheduled to give a summary of certain events.

However, if Trigger is set to Once, I only get the first row. If I set it to For each result, then I get one POST per row. This gets the data over, but the receiver then needs to put these separate things back together (e.g. by matching SID or some such), I'd rather they were all sent in the same package to begin with.

Is there some expression (say using eval) that I can add that would convert the table into a single item that would be returned when Trigger is sent to Once, e.g.:

 

"result: {
  "table": "{'thing_1': 387, 'thing_2': 88}"
}

 

 

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
| stats element_name count

Is not valid SPL.  If you just want to show the values in fields then use the table command.

| table element_name count

To see counts for each element name, try this

| stats count by element_name

Both commands will produce a table of values that should be included in the alert.

---
If this reply helps you, Karma would be appreciated.
0 Karma

TomSemple
Loves-to-Learn

You are of course correct about the syntax for stats; that is the syntax I'm using. 

I do want to see counts of each value that element_name takes, so the table command is not useful.

I still want to see if there's a way to convey the information in the stats in a single webhook POST (i.e. Alert fires Once per alert schedule), without building a custom event trigger action.

In case I wasn't clear, in this case the POST contains only one row of the stats. If Alert is set to Once, only the first row is sent. If alert is set to For each result, then there's a POST for each row.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...