Dashboards & Visualizations

Is there a way to have multiple results in an alert emails subject?

mcg_connor
Path Finder

I'm trying to add the hostnames that result from a search to the email subject of an alert but currently I'm only able to have 1 hostname in the subject when I use $result.host$. For example if the search results in having host1 and host2, only host1 will show up in the email subject line. Is there a way to have both hosts show?

Thanks

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

View solution in original post

woodcock
Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

michaelissartel
Explorer

Hi @woodcock is there a way to extract the value 1 or 2 or N of a multivalued field ?

Thanks

0 Karma

woodcock
Esteemed Legend

... | eval 2nd = mvindex(mvfield, 1, 1)

michaelissartel
Explorer

Hi @woodcock thank you

the full SPL working for me is:

...  | evenstats values(host) AS _host_list  | eval 2nd = mvindex(_name_list, 1, 1) | nomv 2nd

0 Karma

techytanzy
Explorer

Did the suggested solution work for anybody?

For me its always giving null value, but if i am trying to print , the variable shows all the values in non multifield fashion.

Following is the query

 

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | table source, host

 

And in the subject used like this-

 

Alert occurred for follwoing hosts
$result.hostlists$

 

If i remove, "| nomv hostlists" , then it gives at least one host.

Also tried with evaluating as separate field, but again no luck.

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | eval hostlist=hostlists | nomv hostlist | table source, host

And used as  $result.hostlist$

Thanks

0 Karma

techytanzy
Explorer

Hello @woodcock  any suggestion pls?

0 Karma

woodcock
Esteemed Legend

How is this hard?

Your search is this:

index=app_index earliest=-5m 
| dedup source 
| table source, host

I said this:
In your search, add this SPL:

| evenstats values(host) AS _host_list 
| nomv _host_list

Then use $result._host_list$ in your subject.

Which means you end up with this:

index=app_index earliest=-5m
| dedup source
| table source, host
| evenstats values(host) AS _host_list
| nomv _host_list

 Then use $result._host_list$ in your subject.

yuanliu
SplunkTrust
SplunkTrust

Are you looking for something likerex max_match=0?

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex

max_match
Syntax: max_match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...