Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a token that get total number of events in the alert?

bestSplunker
Contributor
‎03-22-2019 02:38 AM

hello ,everyone.

I have read doc https://docs.splunk.com/Documentation/Splunk/7.2.5/Alert/EmailNotificationTokens

I noticed the token $job. resultCount $ can count number of alert results, but I wanted to get the total number of events in the search results.

for example:

index = ids eventtype=ids_attack |stats count by signature_id

because I use stats count by signature_id, the search returned 20 results. the total number of events is 500.
so If I used token $job. resultCount $ in the alert, the alert message would tell me 20 results, but in fact, I want to get the total number of events (500 events), which is equivalent to the result count of the following search 

index = IDS eventtype = ids_attack

To avoid creating two alerts, I want to ask if there is a way to get the total number of events?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-16-2019 09:05 PM

@bestSplunker once you have the field total_events in the search result, you can use $result.total_event$ in your Alert. I am not sure that there will be any other way of having this as token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-21-2019 07:22 AM

Do this:

 index = ids eventtype=ids_attack | eventstats count |stats count first(count) AS _totalCount BY signature_id

Then use $results._totalCount$ for your token.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-16-2019 09:05 PM

@bestSplunker once you have the field total_events in the search result, you can use $result.total_event$ in your Alert. I am not sure that there will be any other way of having this as token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-21-2019 01:05 AM

@niketnilay thank you~ please convert your comment to answer, I will accept your reply

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-21-2019 03:02 AM

@bestSplunker I am glad you found the answer useful. I have converted my comment to answer, so that you can mark the same as accepted.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-22-2019 02:52 AM

@bestSplunker

Can you please try this?

index = ids eventtype=ids_attack  | eventstats count as total_event |stats count values(total_event) as total_event by signature_id
0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-16-2019 06:20 PM

@kamlesh_vaghela I hope to implement it in a token way

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...