hello
I use the search below in order to generate an alert if disk size is > 20
search = `diskspace` \
| fields host FreeSpaceKB \
| eval host=upper(host) \
| eval time = strftime(_time, "%m/%d/%Y %H:%M") \
| eval FreeSpace = FreeSpaceKB/1024 \
| eval FreeSpace = round(FreeSpace/1024,1) \
| stats latest(time) as time latest(FreeSpace) as FreeSpace by host \
| where FreeSpace >= 20 \
| table host
In the alert message I need to display the host concerned by the alert
So I put : The $host$ encounter a disk size issue but the host is not displayed
Same thing in the object of the alert : Splunk Disk size alert for the $host$
What is the problem please??
Ok, you could create a mv field from the resulting hosts. This should give you the possibility to add multiple hosts in one email.
Aadd this as last line to your SPL:
| stats values(host) as hosts
All hosts can be referenced as $result.hosts$ in the email.
Hope it helps.
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Hi @jip31,
You have to use $result.field$ to reference fields from the search results.
So, $result.host$ should work for you.
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Hi and thanks. I am going to test it
Last question : if I have many host results, all the host will be displayed?
Nope, just the first result.
"First value for the specified field name from the first search result row."
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens
BR
Ralph
Thanks ralph
But its a problem for me because I need to créate incident automatically in SNOW from this alert
So it means that i have to run this alert very often (actually one time per day) if i want to créate incident for each host when an event corresponding to the search occurs. BR
Ok, you could create a mv field from the resulting hosts. This should give you the possibility to add multiple hosts in one email.
Aadd this as last line to your SPL:
| stats values(host) as hosts
All hosts can be referenced as $result.hosts$ in the email.
Hope it helps.
BR
Ralph
--
Karma and/or Solution tagging appreciated.