I am trying to generate one event from of list of similar events. I want to remove the _check and add these to one field separated by comas. I am generating a critical event that lists all the host that are not showing.
example:
HOST SEVERITY
Bob_1009_check Critical
Jack_1002_check Critical
John_1001_check Critical
So when I am done I want it to be:
HOST (or some other field name) SEVERITY DESCRIPTION
Bob_1009, Jack_1002, John_1001 Critical (Bob_1009, Jack_1002, John_1001) are no longer up, please review your logs.
I have trimmed the host accurately but I cannot figure out how to get a table of host to show in a side by side list to add into a description field I want to generate in an alert. I DO NOT WANT a table. I want them side by side comma separated or semicolon separated.
With the information from both and research, I found the answer that I was looking for:
| stats values(host) as host
| eval host="(".mvjoin(host,",").")"
| nomv host
|eval description=host." host have failed"
the results gave me what I was looking for: (host1,host2,host3....) host have failed
the stats command made the host a multivalue field, the mvjoin allowed the commas between, and the nomv took away the multivalue and made it a normal field.
Thanks for ideas. Appreciate the time from your busy schedules.
it's not working as I expect it. I had already knew how to do the description. To simplify, I creating a script for whether it is up or down. If there are no failed alerts, then it is up. I am creating an event for up or down. If their down, I need to add the list of down host to the description. I can't use my stuff but this was enough to give a better understanding.
index=myindex message=" failed*"
| table host
| dedup host
| append
[| makeresults annotate=true
| eval host="Dummy"
| table host]
|eventstats count
| eval status = if(count<2,"UP","DOWN")
| eval severity = if(status="DOWN","Critical","Normal")
| eval multiplehost=mvjoin(host, ", ")
| eval msg=if(severity="Critical","Host Have Failed", "Host are Successful")
| eval description=if(severity="Critical",multiplehost,"").msg
I have tried different commands to join it and placed it in various places. I can't seem to get it to add them together into (host1,host2,host3) in a description.
OK. Right from the start there are some things that can be improved 🙂
| table host
| dedup host
While in this particular case it might not make such difference it's worth remembering that the table command moves processing to the search-head layer so it's best avoided untill you really need to transform your data into table for presentation.
I'd do
| stats values(host) as host
| mvexpand host
instead.
The annotate=t part is also not needed very much as you only want to set one field.
I'm not sure what you're trying to do with this line:
| eval multiplehost=mvjoin(host, ", ")
I suppose you want it to work differently than it does. You can't "reach" to other result lines with the eval command. So you either need to combine your results into a multivalued field or maybe transpose your results and do a foreach. But this one will not work.
Also, unless you have one of each host (not just one "dummy") in the appended part you won't detect the failed ones.
With the information from both and research, I found the answer that I was looking for:
| stats values(host) as host
| eval host="(".mvjoin(host,",").")"
| nomv host
|eval description=host." host have failed"
the results gave me what I was looking for: (host1,host2,host3....) host have failed
the stats command made the host a multivalue field, the mvjoin allowed the commas between, and the nomv took away the multivalue and made it a normal field.
Thanks for ideas. Appreciate the time from your busy schedules.
the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by side any of the results separated by a comma. that is why I am on here. I have looked thru so much documentation and cannot get my results for the hosts to go into one event that looks like (host1, host2, host3).
You stated to use a foreach command. I am not quite sure how that would look to get it to put the host in one event side by side.
If you want multiple values in a single field you could do this
| stats values(HOST) as HOST by SEVERITY
| eval HOST=mvjoin(HOST, ",")
I don't know what it has to do with ITSI but in general, if you want to present something in a table, you use a table. If you want to manually render some strings, you just use eval to concatenate multiple strings together, add something to them and so on.
Depending on your use case, you could use the table but use some clever styling with CSS to render the table the way you want.
So either use something like
| eval host_with_description = host . description
or be more precise about what you want to achieve.