Dashboards & Visualizations

Multiple Results in an alert emails subject

mcg_connor
Explorer

I'm trying to add the hostnames that result from a search to the email subject of an alert but currently I'm only able to have 1 hostname in the subject when I use $result.host$. For example if the search results in having host1 and host2, only host1 will show up in the email subject line. Is there a way to have both hosts show?

Thanks

0 Karma
1 Solution

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

View solution in original post

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

View solution in original post

yuanliu
Builder

Are you looking for something likerex max_match=0?

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex

max_match
Syntax: max_match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!