Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combine multiple tables in single alert

twh1
Communicator
‎04-11-2019 04:11 AM

I have 3 different searches. All are printing separate tables. I want to configure the single alert, which will contain all 3 table one after other. Is this feature available in Splunk 7.1? I want the email content like below.

table 1

**col1 col2 col3**
row1 row1 row1
row2 row2 row2

table 2

**col1 col2 col3**
row1 row1 row1
row2 row2 row2

table 3

**col1 col2 col3**
row1 row1 row1
row2 row2 row2
0 Karma
Reply

dmarling
Builder
‎04-11-2019 06:06 AM

Are the column names all the same? Also are these three searches scheduled at all? If not you can just have a union run all three searches and produce the results to a single table:

| union
    [search search1
    | eval Type="Search 1"
    | table Type col1 col2 col3]
    [search search2
    | eval Type="Search 2"
    | table Type col1 col2 col3]
    [search search3
    | eval Type="Search 3"
    | table Type col1 col2 col3]
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

twh1
Communicator
‎04-11-2019 06:43 AM

Hi @dmarling ,
All there tables have different field names. I tried for union command, but it is merging all table columns and displaying the data.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...