Dashboards & Visualizations

Is there a way to have multiple results in an alert emails subject?

mcg_connor
Path Finder

I'm trying to add the hostnames that result from a search to the email subject of an alert but currently I'm only able to have 1 hostname in the subject when I use $result.host$. For example if the search results in having host1 and host2, only host1 will show up in the email subject line. Is there a way to have both hosts show?

Thanks

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

View solution in original post

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

michaelissartel
Explorer

Hi @woodcock is there a way to extract the value 1 or 2 or N of a multivalued field ?

Thanks

0 Karma

woodcock
Esteemed Legend

... | eval 2nd = mvindex(mvfield, 1, 1)

michaelissartel
Explorer

Hi @woodcock thank you

the full SPL working for me is:

...  | evenstats values(host) AS _host_list  | eval 2nd = mvindex(_name_list, 1, 1) | nomv 2nd

0 Karma

techytanzy
Explorer

Did the suggested solution work for anybody?

For me its always giving null value, but if i am trying to print , the variable shows all the values in non multifield fashion.

Following is the query

 

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | table source, host

 

And in the subject used like this-

 

Alert occurred for follwoing hosts
$result.hostlists$

 

If i remove, "| nomv hostlists" , then it gives at least one host.

Also tried with evaluating as separate field, but again no luck.

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | eval hostlist=hostlists | nomv hostlist | table source, host

And used as  $result.hostlist$

Thanks

0 Karma

techytanzy
Explorer

Hello @woodcock  any suggestion pls?

0 Karma

woodcock
Esteemed Legend

How is this hard?

Your search is this:

index=app_index earliest=-5m 
| dedup source 
| table source, host

I said this:
In your search, add this SPL:

| evenstats values(host) AS _host_list 
| nomv _host_list

Then use $result._host_list$ in your subject.

Which means you end up with this:

index=app_index earliest=-5m
| dedup source
| table source, host
| evenstats values(host) AS _host_list
| nomv _host_list

 Then use $result._host_list$ in your subject.

yuanliu
SplunkTrust
SplunkTrust

Are you looking for something likerex max_match=0?

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex

max_match
Syntax: max_match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...