Splunk Search

Combining multiple rows of chart data into one for alerting

VikhyathMaiya
Explorer

Hello splunk community. I have a search query which i am using to report the daily api stats. I have a requirement where i want to send the result of below query (which is a chart table) into slack.

Query:

 

index=api* metaData.pid="apiDdata" | chart count BY apiName status

 


And the result looks like

Screenshot 2021-12-14 at 8.12.39 PM.pngWhat i learnt from the the splunk webhooks is that it can send only one row of data at a time. So if i have to send the whole data, i need to send it result by result.

So my question is, is there any way to combine the table into a single value something like below so that i can send it to slack at one shot ?

Something like below

=============================
|| ApiName    |      Success    |      NULL  ||
---------------------------------------------------
|| Api 1            ||    123               ||       222     ||
|| Api 1            ||    123               ||       222     ||
|| Api 1            ||    123               ||       222     ||
|| APi 2            ||       123            ||       222.    ||
----------------------------------------------------
The above table is a single string value which i am expecting it to be sent to slack. Is it possible ? Please help 🙂

Labels (7)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="apiName    success    NULL
Api 1            123            222
Api 1            123            222
Api 1            123            222
APi 2            123            222"
| multikv forceheader=1
| table apiName success NULL
| eval line=printf("%-30s% 7d% 7d",apiName, success, NULL)
| stats list(line) as line
| eval headers=printf("%-30s% 7s% 7s","apiName","success","NULL")
| eval line=mvappend(headers,line)
| fields - headers

View solution in original post

VikhyathMaiya
Explorer

@ITWhisperer Hello. Thanks for your answer. This seems like working. Just an extended question. Is there any way we can ensure the formatting of this table ? Since apiNames could be of varying length. Is there any way to achieve this ?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="apiName    success    NULL
Api 1            123            222
Api 1            123            222
Api 1            123            222
APi 2            123            222"
| multikv forceheader=1
| table apiName success NULL
| eval line=printf("%-30s% 7d% 7d",apiName, success, NULL)
| stats list(line) as line
| eval headers=printf("%-30s% 7s% 7s","apiName","success","NULL")
| eval line=mvappend(headers,line)
| fields - headers

VikhyathMaiya
Explorer

Just a follow up question. Incase i have an additional field called apiTime in each field and i want to calculate tp99 of grouped by apiName, how can we achieve that with this ? I tried couple of things with with appendCols.. Nothing made it work. Could you please help me with this as well ?

 

0 Karma

VikhyathMaiya
Explorer

This is awesome. Works like a charm. Thank you 🙂

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Would something like this work?

| makeresults
| eval _raw="apiName    success    NULL
Api 1            123            222
Api 1            123            222
Api 1            123            222
APi 2            123            222"
| multikv forceheader=1
| table apiName success NULL
| eval line=mvappend(apiName, success, NULL)
| eval line=mvjoin(line,"    ")
| transpose 0
| eventstats list(eval(if(column!="line",column,null()))) as headers
| eval headers=mvjoin(headers,"    ")
| transpose 0 header_field=column
| sort 0 column
| stats list(line) as line
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...