All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket?

sallyanntracy
Explorer
‎12-29-2017 11:34 AM

We're using Splunk App for VMware to monitor and ticket our ESXi hosts & guests. We want to have helpful verbiage appear in the ticket based on the results of the alert search. Can we write that into a search instead of in the ticketing code?

Alert: VMW ESX Server Disconnected

Condition: return #connectionState# != "connected" && #virtualMachinesPoweredOnCount# > 0

Verbiage:
Virtual Machines Powered On. ESX Server @name disconnected from the Virtual Center while @vmcount virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center.

Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...