Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can stats be in the subject of an alert-generated e-mail?

unitedmarsupial
Path Finder
‎12-09-2019 09:30 AM

We have an alert, that checks for a particular condition (Oracle-errors) across multiple indexes:

(index=HOP OR index=FOO OR index=BAR) AND Description=ORA-*

The e-mail is sent to multiple people. I'd like the subject of the e-mail generated to contain the output of stats sum(count) by index -- to help people responsible for the different applications prioritize their work... Can things like this be done?

Update: I attempted to follow the advice by @aberkow adding the last line like this:

....
| eval App=upper(index) 
| fields App, _time, Description, source
| stats sum(count) as incidence by App

And then adding $result.incidence$ to the subject. Unfortunately, this did not add the actual counts to the Subject. Worse, the body of the e-mail -- instead of listing the four fields specified, now lists only two columns: the App and the incidence. And the latter column is empty...

0 Karma
Reply

aberkow
Builder
‎12-09-2019 10:53 AM

Do you mean something like this? https://answers.splunk.com/answers/785739/is-it-possible-to-have-a-token-in-the-saved-search.html#an...

I think you're saying that you want to add in a token in the subject, which is super doable

| stats sum(count) as countOfWhatever by index

Subject: $result.countOfWhatever$ unindexed or unsupported or...

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens: for the same info linked in that other question!

Hope this helps

0 Karma
Reply

unitedmarsupial
Path Finder
‎12-09-2019 11:18 AM

Thanks.That removed all of the events from the e-mail's body -- replacing them with the incidence per index. Can I keep the alert-body as it was, but still have the per-index summary in Subject?

0 Karma
Reply

aberkow
Builder
‎12-09-2019 11:42 AM

Good call out - I made the update. That's interesting, what is in your alert-body before? Was it also a token? It shouldn't have affected it, although most of the time I just send $results_link$ as a best practice.

0 Karma
Reply

unitedmarsupial
Path Finder
‎12-09-2019 01:12 PM

The alert used to contain a table of all of the detected oracle-errors -- four fields enumerated in my question. Now it contains only two fields: the App and the incidence. And the second column is empty...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...