Hi Everyone,
I have one requirement.
I am creating Incident through splunk alerts using SAHARA.
This issue I am facing is:
Below is my query:
index=abc ns=xyz|stats count by app_name|eval f1="khus"
The result of the query is this:
app_name f1
abc khus
xyx khus
But when I creating incident I am only getting first row in my incident not the second row
I have passed like this in unique ID
$result.app_name$ $result.f1$
Can someone guide me on this
You can attach results as csv file OR make fields multivalued so that all the events fit into on erow.
index=abc ns=xyz | stats count by app_name | eval f1="khus" | stats values(*) as *
hi @aditsss,
You can set Trigger to For each result under Trigger Conditions on the alert edit page.
If this reply helps you, a like would be appreciated.
In this way 2 Incidents are created for each row.
I want only one Incident should be there and 2nd should be append to it.
Because they are from the same result .
Can you guide me is that possible
You can attach results as csv file OR make fields multivalued so that all the events fit into on erow.
index=abc ns=xyz | stats count by app_name | eval f1="khus" | stats values(*) as *
I cant use csv or I can append result in single row because these are Exception messages and ol will be different.
There could be 15 rows also.
Is there any way that if search alert result in 5 rows
one incident will be created and all the 5 rows will be appended to it.
Is any functionality there .
Yes you can, try this:
index=abc ns=xyz | stats count by app_name | eval f1="khus" | streamstats count as temp | eval temp=floor(count/5) | stats values(*) as * by temp | fields - temp
I tried with this query as well:
index=abc ns=blazegateway|stats count by app_name|eval f1="khushi"| streamstats count as temp | eval temp=floor(count/3) | stats values(*) as * by temp | fields - temp
I am still getting 3 rows
index=abc ns=blazegateway|stats count by app_name | eval f1="khushi" | streamstats count as temp | eval temp=floor(count/3) | stats list(*) as * by temp | fields - temp
Post some data if you don't get result as you expect.
with this query also I am getting 3 rows.
Is that possible that I can create one incident and then append rest of the rows in it.
I want like if 2 rows are coming in search result for alert then both rows should come in same incident
Suppose these are the result I am getting:
F1 appname
k d
c g
Then when creating incident in uniquefield when I type $result.F1$ $result.appname$
Then both F1 and appname should come on same incident
But currently I am getting only one in incident
Can you guide me on this