- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: help on alert message
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I use the search below in order to generate an alert if disk size is > 20
search = `diskspace` \
| fields host FreeSpaceKB \
| eval host=upper(host) \
| eval time = strftime(_time, "%m/%d/%Y %H:%M") \
| eval FreeSpace = FreeSpaceKB/1024 \
| eval FreeSpace = round(FreeSpace/1024,1) \
| stats latest(time) as time latest(FreeSpace) as FreeSpace by host \
| where FreeSpace >= 20 \
| table host
In the alert message I need to display the host concerned by the alert
So I put : The $host$ encounter a disk size issue but the host is not displayed
Same thing in the object of the alert : Splunk Disk size alert for the $host$
What is the problem please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, you could create a mv field from the resulting hosts. This should give you the possibility to add multiple hosts in one email.
Aadd this as last line to your SPL:
| stats values(host) as hosts
All hosts can be referenced as $result.hosts$ in the email.
Hope it helps.
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
You have to use $result.field$ to reference fields from the search results.
So, $result.host$ should work for you.
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi and thanks. I am going to test it
Last question : if I have many host results, all the host will be displayed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, just the first result.
"First value for the specified field name from the first search result row."
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens
BR
Ralph
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks ralph
But its a problem for me because I need to créate incident automatically in SNOW from this alert
So it means that i have to run this alert very often (actually one time per day) if i want to créate incident for each host when an event corresponding to the search occurs. BR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, you could create a mv field from the resulting hosts. This should give you the possibility to add multiple hosts in one email.
Aadd this as last line to your SPL:
| stats values(host) as hosts
All hosts can be referenced as $result.hosts$ in the email.
Hope it helps.
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Karma and/or Solution tagging appreciated.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
