Alerting

Merge 2 alerts that have the same fields into 1 CSV file alert

phamxuantung
Communicator

Hello,

I'm currently have 2 queries that produce 2 alert emails that send 2 separate csv files. The 2 have the same fields/columns. I want to merge them into 1 scv file, and in Excel form, would ideally in the same sheet.

Exp:

Table 1

 

MERCHANT_ID|Sales|TYPE
Merchant A |14   |Domestic
Merchant B |5    |Domestic

 

Table 2

 

MERCHANT_ID|Sales|TYPE
Merchant C |2    |Foreign
Merchant D |52   |Foreign

 

The result would be

 

MERCHANT_ID|Sales|TYPE
Merchant A |14   |Domestic
Merchant B |5    |Domestic
Merchant C |2    |Foreign
Merchant D |52   |Foreign

 

 

Labels (2)
0 Karma

scelikok
SplunkTrust
SplunkTrust

You can write first alert search results to 1.csv . Then at the end of second alert search you can append 1.csv and make the final output csv.

As a sample for second alert;

| second_search
| inputlokup append=t 1.csv 
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @phamxuantung,

Since these csv files are output of two separate alert, you should merge/adapt your alert search to cover both cases. Without knowing your searches we cannot help.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

phamxuantung
Communicator

Although the result have the same fields, have have similar query, just different index, unfortunately, it can't run together because combine them will make some calculation wrong. I heard my co-worker said you can export alert 1 to 1 csv, alert 2 will lookup at that csv, run the search and then export it, is it possible

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...