All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket?

sallyanntracy
Explorer
‎12-29-2017 11:34 AM

We're using Splunk App for VMware to monitor and ticket our ESXi hosts & guests. We want to have helpful verbiage appear in the ticket based on the results of the alert search. Can we write that into a search instead of in the ticketing code?

Alert: VMW ESX Server Disconnected

Condition: return #connectionState# != "connected" && #virtualMachinesPoweredOnCount# > 0

Verbiage:
Virtual Machines Powered On. ESX Server @name disconnected from the Virtual Center while @vmcount virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center.

Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...