Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get Alert Webhook to send entire contents of stats table in one POST

TomSemple
Loves-to-Learn
‎08-07-2020 11:40 AM

I have set up an Alert for a stats expression like this:

 

| stats element_name count

 

 This is triggered each time the Alert was scheduled to give a summary of certain events.

However, if Trigger is set to Once, I only get the first row. If I set it to For each result, then I get one POST per row. This gets the data over, but the receiver then needs to put these separate things back together (e.g. by matching SID or some such), I'd rather they were all sent in the same package to begin with.

Is there some expression (say using eval) that I can add that would convert the table into a single item that would be returned when Trigger is sent to Once, e.g.:

 

"result: {
  "table": "{'thing_1': 387, 'thing_2': 88}"
}

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2020 12:15 PM 
| stats element_name count

Is not valid SPL.  If you just want to show the values in fields then use the table command.

| table element_name count

To see counts for each element name, try this

| stats count by element_name

Both commands will produce a table of values that should be included in the alert.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

TomSemple
Loves-to-Learn
‎08-07-2020 05:33 PM

You are of course correct about the syntax for stats; that is the syntax I'm using. 

I do want to see counts of each value that element_name takes, so the table command is not useful.

I still want to see if there's a way to convey the information in the stats in a single webhook POST (i.e. Alert fires Once per alert schedule), without building a custom event trigger action.

In case I wasn't clear, in this case the POST contains only one row of the stats. If Alert is set to Once, only the first row is sent. If alert is set to For each result, then there's a POST for each row.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...