Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use token to show the value returned by addcoltotals command in the subject of the email

raghul725
Explorer
‎01-31-2024 07:48 AM

Hello,

 

I am using addcoltotals command to get the total value of a column and I would like to display the value returned by addcoltotals command in the subject of the email when an alert is triggered.

 

my_search|chart count AS XXXX by YYYY| addcoltotals labelfield="Total Delivered"

 

The output is

 

Files | Files_Count | Total Delivered

F1     |     3                   |

F2     |      5                  |

F3     |      3                  |

           |      11               | Total

 

I would like 11 to be displayed in the subject line. Tried various tokens but could not get it working.

 

Regards

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-31-2024 08:25 AM

@raghul725 - You can use the token inside a subject of the Splunk email action. But it will take first value from the field instead of the total.

To do that use this instead in your query instead of addcoltotals:

my_search |chart count AS XXXX by YYYY |
| appendpipe [| stats sum(File_Count) by Total_Delivered]

 

Use something like this in the subject of the email

Files count is $result.Total_Delivered$

 

Reference - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Alert/EmailNotificationTokens

 

I hope this helps!!! 

0 Karma
Reply

raghul725
Explorer
‎01-31-2024 10:37 AM

Sorry I am bit lost here, how can I run the command if I don't use addcoltotals please?

Without addcoltotals labelfield="Total Delivered" the field Total Delivered will not exists to do count by.

And if I add the command addcoltotals labelfield="Total Delivered" to your suggestion, it defeats the purpose, unless I am thick which I very well can be!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-01-2024 07:38 AM

@raghul725 - This line below can do whatever addcoltotals can do:

| appendpipe [| stats sum(File_Count) by Total_Delivered]

 

I used Total_Delivered instead of "Total Delivered", as space sometimes create issues with tokens.

 

I hope this helps!!

0 Karma
Reply

raghul725
Explorer
‎02-01-2024 10:26 AM

OK, the Total_Delivered is defined via labelfield added to addtotalcols command.

 

So if we run 

| appendpipe [| stats sum(File_Count) by Total_Delivered]

without addtotalcols labelfield, then stats by from the above will not make any difference.

 

And if I run it as 

 

|addcoltotals labelfield="Total_Delivered"|appendpipe [| stats sum(File_Count) as TFC by Total_Delivered]

 

the output is as below

 

Files | Files_Count | Total_Delivered | TFC| Total_Delivered

F1     |     3                   |                           |         |

F2     |      5                  |                           |         |

F3     |      3                  |                           |         |Total

           |      11               | Total                 | 11| Total

 

Are we expecting the above output please, altho' the view is NOT great, we can use TFC as token in subject to state the value I believe?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...