Alerting

Is there a token that get total number of events in the alert?

bestSplunker
Contributor

hello ,everyone.

I have read doc https://docs.splunk.com/Documentation/Splunk/7.2.5/Alert/EmailNotificationTokens

I noticed the token $job. resultCount $ can count number of alert results, but I wanted to get the total number of events in the search results.

for example:

index = ids eventtype=ids_attack |stats count by signature_id

because I use stats count by signature_id, the search returned 20 results. the total number of events is 500.
so If I used token $job. resultCount $ in the alert, the alert message would tell me 20 results, but in fact, I want to get the total number of events (500 events), which is equivalent to the result count of the following search

index = IDS eventtype = ids_attack

To avoid creating two alerts, I want to ask if there is a way to get the total number of events?

Tags (1)
0 Karma
1 Solution

niketn
Legend

@bestSplunker once you have the field total_events in the search result, you can use $result.total_event$ in your Alert. I am not sure that there will be any other way of having this as token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Do this:

 index = ids eventtype=ids_attack | eventstats count |stats count first(count) AS _totalCount BY signature_id

Then use $results._totalCount$ for your token.

0 Karma

niketn
Legend

@bestSplunker once you have the field total_events in the search result, you can use $result.total_event$ in your Alert. I am not sure that there will be any other way of having this as token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bestSplunker
Contributor

@niketnilay thank you~ please convert your comment to answer, I will accept your reply

0 Karma

niketn
Legend

@bestSplunker I am glad you found the answer useful. I have converted my comment to answer, so that you can mark the same as accepted.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bestSplunker

Can you please try this?

index = ids eventtype=ids_attack  | eventstats count as total_event |stats count values(total_event) as total_event by signature_id
0 Karma

bestSplunker
Contributor

@kamlesh_vaghela I hope to implement it in a token way

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...