Dashboards & Visualizations

Is there a way to have multiple results in an alert emails subject?

mcg_connor
Path Finder

I'm trying to add the hostnames that result from a search to the email subject of an alert but currently I'm only able to have 1 hostname in the subject when I use $result.host$. For example if the search results in having host1 and host2, only host1 will show up in the email subject line. Is there a way to have both hosts show?

Thanks

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

View solution in original post

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

michaelissartel
Explorer

Hi @woodcock is there a way to extract the value 1 or 2 or N of a multivalued field ?

Thanks

0 Karma

woodcock
Esteemed Legend

... | eval 2nd = mvindex(mvfield, 1, 1)

michaelissartel
Explorer

Hi @woodcock thank you

the full SPL working for me is:

...  | evenstats values(host) AS _host_list  | eval 2nd = mvindex(_name_list, 1, 1) | nomv 2nd

0 Karma

techytanzy
Explorer

Did the suggested solution work for anybody?

For me its always giving null value, but if i am trying to print , the variable shows all the values in non multifield fashion.

Following is the query

 

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | table source, host

 

And in the subject used like this-

 

Alert occurred for follwoing hosts
$result.hostlists$

 

If i remove, "| nomv hostlists" , then it gives at least one host.

Also tried with evaluating as separate field, but again no luck.

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | eval hostlist=hostlists | nomv hostlist | table source, host

And used as  $result.hostlist$

Thanks

0 Karma

techytanzy
Explorer

Hello @woodcock  any suggestion pls?

0 Karma

woodcock
Esteemed Legend

How is this hard?

Your search is this:

index=app_index earliest=-5m 
| dedup source 
| table source, host

I said this:
In your search, add this SPL:

| evenstats values(host) AS _host_list 
| nomv _host_list

Then use $result._host_list$ in your subject.

Which means you end up with this:

index=app_index earliest=-5m
| dedup source
| table source, host
| evenstats values(host) AS _host_list
| nomv _host_list

 Then use $result._host_list$ in your subject.

yuanliu
SplunkTrust
SplunkTrust

Are you looking for something likerex max_match=0?

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex

max_match
Syntax: max_match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...