How to access searchmatch count in eMail notificat...

kodaganti · ‎05-26-2016

I have the below working SPLUNK query which is being used to print the timechart. I would like to trigger an email alert on daily basis. I would like to use the same query for email alert on daily basis.

Problem : How can I access the count of each searchmatch in email notification?

I am trying to access the counts like below in Splunk alert:

'$name$' 

Status Value  :  Count

Approved : $result.string.Approved$
Declined   : $result.string.Decline$
Pending    : $result.string.Pending$
Review      : $result.string.Review$
Null            :$result.string.Null_Status$

ALL            :  $result.All$ (Should be sum of all above statues)

But it is not working.

Here is the Query:

index=dotcom sourcetype=dotcom_cc   "and applicationStatus value : *" OR "and applicationStatus value : D" OR "and applicationStatus value : R"  OR "and applicationStatus value : A" OR "and applicationStatus value : P" OR "and applicationStatus value : null"  | eval string=case(searchmatch("and applicationStatus value : D"), "Decline",  searchmatch("and applicationStatus value : R"), "Review",  searchmatch("and applicationStatus value : A"), "Approved",  searchmatch("and applicationStatus value : P"), "Pending",  searchmatch("and applicationStatus value : null"), "Null_Status") | timechart count by string

woodcock · ‎05-26-2016

First, add this to your search:

| eval All = "Decline" + "Review" + "Approved" + "Pending" + "Null_Status"

Then try this for your email:

'$name$'

Status Value:  Count
Approved:      $result.Approved$
Declined:      $result.Decline$
Pending:       $result.Pending$
Review:        $result.Review$
Null:          $result.Null_Status$

ALL:           $result.All$

How to access searchmatch count in eMail notifications

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!