Hello,
I am using addcoltotals command to get the total value of a column and I would like to display the value returned by addcoltotals command in the subject of the email when an alert is triggered.
my_search|chart count AS XXXX by YYYY| addcoltotals labelfield="Total Delivered"
The output is
Files | Files_Count | Total Delivered
F1 | 3 |
F2 | 5 |
F3 | 3 |
| 11 | Total
I would like 11 to be displayed in the subject line. Tried various tokens but could not get it working.
Regards
@raghul725 - You can use the token inside a subject of the Splunk email action. But it will take first value from the field instead of the total.
To do that use this instead in your query instead of addcoltotals:
my_search |chart count AS XXXX by YYYY |
| appendpipe [| stats sum(File_Count) by Total_Delivered]
Use something like this in the subject of the email
Files count is $result.Total_Delivered$
Reference - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Alert/EmailNotificationTokens
I hope this helps!!!
Sorry I am bit lost here, how can I run the command if I don't use addcoltotals please?
Without addcoltotals labelfield="Total Delivered" the field Total Delivered will not exists to do count by.
And if I add the command addcoltotals labelfield="Total Delivered" to your suggestion, it defeats the purpose, unless I am thick which I very well can be!
@raghul725 - This line below can do whatever addcoltotals can do:
| appendpipe [| stats sum(File_Count) by Total_Delivered]
I used Total_Delivered instead of "Total Delivered", as space sometimes create issues with tokens.
I hope this helps!!
OK, the Total_Delivered is defined via labelfield added to addtotalcols command.
So if we run
| appendpipe [| stats sum(File_Count) by Total_Delivered]
without addtotalcols labelfield, then stats by from the above will not make any difference.
And if I run it as
|addcoltotals labelfield="Total_Delivered"|appendpipe [| stats sum(File_Count) as TFC by Total_Delivered]
the output is as below
Files | Files_Count | Total_Delivered | TFC| Total_Delivered
F1 | 3 | | |
F2 | 5 | | |
F3 | 3 | | |Total
| 11 | Total | 11| Total
Are we expecting the above output please, altho' the view is NOT great, we can use TFC as token in subject to state the value I believe?