We have an alert, that checks for a particular condition (Oracle-errors) across multiple indexes:
(index=HOP OR index=FOO OR index=BAR) AND Description=ORA-*
The e-mail is sent to multiple people. I'd like the subject of the e-mail generated to contain the output of stats sum(count) by index -- to help people responsible for the different applications prioritize their work... Can things like this be done?
Update: I attempted to follow the advice by @aberkow adding the last line like this:
| eval App=upper(index)
| fields App, _time, Description, source
| stats sum(count) as incidence by App
And then adding $result.incidence$ to the subject. Unfortunately, this did not add the actual counts to the Subject. Worse, the body of the e-mail -- instead of listing the four fields specified, now lists only two columns: the App and the incidence. And the latter column is empty...
Good call out - I made the update. That's interesting, what is in your alert-body before? Was it also a token? It shouldn't have affected it, although most of the time I just send $results_link$ as a best practice.
The alert used to contain a table of all of the detected oracle-errors -- four fields enumerated in my question. Now it contains only two fields: the App and the incidence. And the second column is empty...