I have set up an Alert for a stats expression like this:
| stats element_name count
This is triggered each time the Alert was scheduled to give a summary of certain events.
However, if Trigger is set to Once, I only get the first row. If I set it to For each result, then I get one POST per row. This gets the data over, but the receiver then needs to put these separate things back together (e.g. by matching SID or some such), I'd rather they were all sent in the same package to begin with.
Is there some expression (say using eval) that I can add that would convert the table into a single item that would be returned when Trigger is sent to Once, e.g.:
"result: {
"table": "{'thing_1': 387, 'thing_2': 88}"
}
| stats element_name count
Is not valid SPL. If you just want to show the values in fields then use the table command.
| table element_name count
To see counts for each element name, try this
| stats count by element_name
Both commands will produce a table of values that should be included in the alert.
You are of course correct about the syntax for stats; that is the syntax I'm using.
I do want to see counts of each value that element_name takes, so the table command is not useful.
I still want to see if there's a way to convey the information in the stats in a single webhook POST (i.e. Alert fires Once per alert schedule), without building a custom event trigger action.
In case I wasn't clear, in this case the POST contains only one row of the stats. If Alert is set to Once, only the first row is sent. If alert is set to For each result, then there's a POST for each row.