All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Send report as table

sphiwee
Contributor
‎03-30-2025 05:24 AM

I have a query which is a lookup and I have assigned the out to "Report" as I want to send the entirety of the report via teams but im struggling to send it as a table its just the entire and its not readable.

here's the output in teams

teams output.PNG

and this is my query 


index="acoe_bot_events"
unique_id = *
|lookup "LU_ACOE_RDA_Tracker" ID AS unique_id
|search Business_Area_Level_2="Client Solutions Insurance" , Category="*", Business_Unit = "*", Analyst_Responsible = "*", Process_Name = "*"
|eval STP=(passed/heartbeat)*100
|eval Hours=(passed*Standard_Working_Time)/60
|eval FTE=(Hours/127.5)
|eval Benefit=(passed*Standard_Working_Time*Benefit_Per_Minute)
|stats sum(heartbeat) as Volumes sum(passed) as Successful avg(STP) as Average_STP,sum(FTE) as FTE_Saved, sum(Hours) as Hours_Saved, sum(Benefit) as Rand_Benefit by Process_Name, Business_Unit, Analyst_Responsible
|foreach * [eval FTE_Saved=round('FTE_Saved',3)]
|foreach * [eval Hours_Saved=round('Hours_Saved',3)]
|foreach * [eval Rand_Benefit=round('Rand_Benefit',2)]
|foreach * [eval Average_STP=round('Average_STP',2)]
| eval row = Process_Name . "|" . Analyst_Responsible . "|" . Business_Unit . "|" . Volumes . "|" . Successful . "|" . Average_STP
| stats values(row) AS report
| eval report = mvjoin(report, "
")


Labels (2)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-30-2025 09:41 AM

Hi @sphiwee 

I think the issue is that your current SPL concatenates all your data into a single field (`report`) separated by a line breaks, although its not clear how that line break is interpreted by Teams.

I have previously had success with Microsoft Teams using Markdown or specific JSON structures (like Adaptive Cards) for rich formatting like tables, especially via webhooks. Simple text won't be interpreted as a table. Technically speaking Teams webhook messages dont support Markdown, and HTML is encoded and treated as text.


You can try modifying your SPL to generate a Markdown formatted table directly within the search results. This *might* render correctly in Teams depending on how the alert action sends the payload.
Remove your last three lines (`eval row = ...`, `stats values(row) AS report`, `eval report = mvjoin(...)`).
Add formatting logic after the `foreach` loops.

index="acoe_bot_events"
unique_id = *
| lookup "LU_ACOE_RDA_Tracker" ID AS unique_id
| search Business_Area_Level_2="Client Solutions Insurance" , Category="*", Business_Unit = "*", Analyst_Responsible = "*", Process_Name = "*"
| eval STP=(passed/heartbeat)*100
| eval Hours=(passed*Standard_Working_Time)/60
| eval FTE=(Hours/127.5)
| eval Benefit=(passed*Standard_Working_Time*Benefit_Per_Minute)
| stats sum(heartbeat) as Volumes sum(passed) as Successful avg(STP) as Average_STP,sum(FTE) as FTE_Saved, sum(Hours) as Hours_Saved, sum(Benefit) as Rand_Benefit by Process_Name, Business_Unit, Analyst_Responsible
| foreach * [eval FTE_Saved=round('FTE_Saved',3)]
| foreach * [eval Hours_Saved=round('Hours_Saved',3)]
| foreach * [eval Rand_Benefit=round('Rand_Benefit',2)]
| foreach * [eval Average_STP=round('Average_STP',2)]
```--- Start Markdown Formatting ---```
| fillnull value="N/A" Process_Name Business_Unit Analyst_Responsible Volumes Successful Average_STP FTE_Saved Hours_Saved Rand_Benefit
``` Format each row as a Markdown table row ```
| eval markdown_row = "| " . Process_Name . " | " . Business_Unit . " | " . Analyst_Responsible . " | " . Volumes . " | " . Successful . " | " . Average_STP . "% | " . FTE_Saved . " | " . Hours_Saved . " | " . Rand_Benefit . " |"

``` Combine all rows into a single multivalue field ```
| stats values(markdown_row) as table_rows

``` Create the final Markdown table string ```
| eval markdown_table = "| Process Name | Business Unit | Analyst | Volumes | Successful | Avg STP | FTE Saved | Hours Saved | Rand Benefit |\n" . "|---|---|---|---|---|---|---|---|---|\n" . mvjoin(table_rows, "\n")

``` Select only the final field to be potentially used by the alert action ```
| fields markdown_table

 In the alert action configuration, you'll need to reference the result field containing the Markdown. Often, you can use tokens like `$result.markdown_table$`

Considerations for Markdown Approach:

  • Character Limits: Teams messages and webhook payloads have character limits. Very large tables might get truncated.
  • Rendering: Teams Markdown rendering for tables can sometimes be basic and may is not supported.
  • Alert Action App: Success depends heavily on *how* your Teams alert action sends the payload. Some might wrap it in JSON, others might send raw text. You might need to experiment.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

Reply

sphiwee
Contributor
‎03-31-2025 01:53 AM

output on splunk

sphiwee_0-1743411102160.png

 

0 Karma
Reply

sphiwee
Contributor
‎03-31-2025 01:48 AM

Hi I just tried this and the output is still not organized


sphiwee_0-1743410893793.png

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-31-2025 09:16 AM

Ah this is a shame, it looks like it doesnt allow \n characters either.

Unfortunately I think using this approach isnt going to work for you due to the way that teams processes the webhook.

Instead I would recommend checking out https://splunkbase.splunk.com/app/4855 / https://github.com/guilhemmarchand/TA-ms-teams-alert-action by the mighty @guilmxm  which does support Markdown for your MS Teams alerts!


🌟 Did this answer help you? If so, please consider:

    • Adding kudos to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2025 06:23 AM

Have you tried the table command?

index="acoe_bot_events" unique_id = *
| lookup "LU_ACOE_RDA_Tracker" ID AS unique_id
| search Business_Area_Level_2="Client Solutions Insurance" Category="*" Business_Unit = "*" Analyst_Responsible = "*" Process_Name = "*"
| eval STP=(passed/heartbeat)*100
| stats sum(heartbeat) as Volumes sum(passed) as Successful avg(STP) as Average_STP by Process_Name, Business_Unit, Analyst_Responsible
| eval Average_STP=round('Average_STP',2)
| table Process_Name, Analyst_Responsible, Business_Unit, Volumes, Successful, Average_STP

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...