We have an alert that returns a set of errors by error type:
index=foo ... | stats count as count_errors by myfield | sort - count_errors | where count_errors > 0
This will produce
myfield count errortype1 45 errortype2 33 errortype3 10
We can get this table emailed to use using line and table.
For custom actions, e.g. HipChat, I can only see to get one value for the first one by referencing $result.myfield$
How can we get all the results that email would see to also appear in HipChat or other custom alerts?
Try changing the alert mode of the search in Searches, Reports and Alerts, from Once per Search to Once per Result
Hmm. Wouldn't that cause two different alerts? I guess I can try and let you know.
Yes I got two separate alerts back to back. At least I can see the info. Thanks.