Archive

Saved Search alert on "events" not rows on summary search

New Member

Running Splunk 4.3.3
is it possible to have a saved search alert in the count rather than rows if I try a summary search instead of full search?
Example:
Name: 'SavedSearchName'
Query Terms: '"Search String here" | stats count by host,source,ServiceName'
...
number of events(2)'

host source ServiceName count
host1 /pathtohost1logs.log OneService 10
host2 /pathtohost2logs.log OneService 25

This Shows only 2 events but the search actually has 35, how can I get the events to be 35 rather than 2?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

That is currently not possible with out-of-the-box features. But, you can always update the script which builds the email body (sendemail.py) to customize the contents.

0 Karma

New Member

That's unfortunate, it would be nice to have. Thanks for the reply

0 Karma