All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket?

sallyanntracy
Explorer
‎12-29-2017 11:34 AM

We're using Splunk App for VMware to monitor and ticket our ESXi hosts & guests. We want to have helpful verbiage appear in the ticket based on the results of the alert search. Can we write that into a search instead of in the ticketing code?

Alert: VMW ESX Server Disconnected

Condition: return #connectionState# != "connected" && #virtualMachinesPoweredOnCount# > 0

Verbiage:
Virtual Machines Powered On. ESX Server @name disconnected from the Virtual Center while @vmcount virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center.

Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...