Splunk Search

Can stats be in the subject of an alert-generated e-mail?

unitedmarsupial
Path Finder

We have an alert, that checks for a particular condition (Oracle-errors) across multiple indexes:

(index=HOP OR index=FOO OR index=BAR) AND Description=ORA-*

The e-mail is sent to multiple people. I'd like the subject of the e-mail generated to contain the output of stats sum(count) by index -- to help people responsible for the different applications prioritize their work... Can things like this be done?

Update: I attempted to follow the advice by @aberkow adding the last line like this:

....
| eval App=upper(index) 
| fields App, _time, Description, source
| stats sum(count) as incidence by App

And then adding $result.incidence$ to the subject. Unfortunately, this did not add the actual counts to the Subject. Worse, the body of the e-mail -- instead of listing the four fields specified, now lists only two columns: the App and the incidence. And the latter column is empty...

0 Karma

aberkow
Builder

Do you mean something like this? https://answers.splunk.com/answers/785739/is-it-possible-to-have-a-token-in-the-saved-search.html#an...

I think you're saying that you want to add in a token in the subject, which is super doable

| stats sum(count) as countOfWhatever by index

Subject: $result.countOfWhatever$ unindexed or unsupported or...

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens: for the same info linked in that other question!

Hope this helps

0 Karma

unitedmarsupial
Path Finder

Thanks.That removed all of the events from the e-mail's body -- replacing them with the incidence per index. Can I keep the alert-body as it was, but still have the per-index summary in Subject?

0 Karma

aberkow
Builder

Good call out - I made the update. That's interesting, what is in your alert-body before? Was it also a token? It shouldn't have affected it, although most of the time I just send $results_link$ as a best practice.

0 Karma

unitedmarsupial
Path Finder

The alert used to contain a table of all of the detected oracle-errors -- four fields enumerated in my question. Now it contains only two fields: the App and the incidence. And the second column is empty...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!