Combine multiple tables in single alert

twh1 · ‎04-11-2019

I have 3 different searches. All are printing separate tables. I want to configure the single alert, which will contain all 3 table one after other. Is this feature available in Splunk 7.1? I want the email content like below.

table 1

**col1 col2 col3**
row1 row1 row1
row2 row2 row2

table 2

**col1 col2 col3**
row1 row1 row1
row2 row2 row2

table 3

**col1 col2 col3**
row1 row1 row1
row2 row2 row2

dmarling · ‎04-11-2019

Are the column names all the same? Also are these three searches scheduled at all? If not you can just have a union run all three searches and produce the results to a single table:

| union
    [search search1
    | eval Type="Search 1"
    | table Type col1 col2 col3]
    [search search2
    | eval Type="Search 2"
    | table Type col1 col2 col3]
    [search search3
    | eval Type="Search 3"
    | table Type col1 col2 col3]

If this comment/answer was helpful, please up vote it. Thank you.

twh1 · ‎04-11-2019

Hi @dmarling ,
All there tables have different field names. I tried for union command, but it is merging all table columns and displaying the data.

Combine multiple tables in single alert

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Combine multiple tables in single alert

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!