All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ticketing from Splunk: Can we have the search return verbiage based on the results to be used in a ticket?

sallyanntracy
Explorer
‎12-29-2017 11:34 AM

We're using Splunk App for VMware to monitor and ticket our ESXi hosts & guests. We want to have helpful verbiage appear in the ticket based on the results of the alert search. Can we write that into a search instead of in the ticketing code?

Alert: VMW ESX Server Disconnected

Condition: return #connectionState# != "connected" && #virtualMachinesPoweredOnCount# > 0

Verbiage:
Virtual Machines Powered On. ESX Server @name disconnected from the Virtual Center while @vmcount virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center.

Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-31-2017 09:33 AM

You can definitely have such verbiage added to your search, but there's not just one way to do it.

The most obvious seems to be a lookup of some sort, which can add a field to your events based on the value of one or more fields.

Another option is a simple case statement within your search, which might make it easy to perform string concatenation using your required variables:

| eval verbiage=case(connectionState!="connected" and virtualMachinesPoweredOnCount>0, "Virtual Machines Powered On. ESX Server " . name . " disconnected from the Virtual Center while " . vmcount . " virtual machines were running on it. Make sure that this server is running properly and is connected to the Virtual Center."

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...