Splunk Search

Combining multiple rows of chart data into one for alerting

VikhyathMaiya
Explorer

Hello splunk community. I have a search query which i am using to report the daily api stats. I have a requirement where i want to send the result of below query (which is a chart table) into slack.

Query:

 

index=api* metaData.pid="apiDdata" | chart count BY apiName status

 


And the result looks like

Screenshot 2021-12-14 at 8.12.39 PM.pngWhat i learnt from the the splunk webhooks is that it can send only one row of data at a time. So if i have to send the whole data, i need to send it result by result.

So my question is, is there any way to combine the table into a single value something like below so that i can send it to slack at one shot ?

Something like below

=============================
|| ApiName    |      Success    |      NULL  ||
---------------------------------------------------
|| Api 1            ||    123               ||       222     ||
|| Api 1            ||    123               ||       222     ||
|| Api 1            ||    123               ||       222     ||
|| APi 2            ||       123            ||       222.    ||
----------------------------------------------------
The above table is a single string value which i am expecting it to be sent to slack. Is it possible ? Please help 🙂

Labels (7)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="apiName    success    NULL
Api 1            123            222
Api 1            123            222
Api 1            123            222
APi 2            123            222"
| multikv forceheader=1
| table apiName success NULL
| eval line=printf("%-30s% 7d% 7d",apiName, success, NULL)
| stats list(line) as line
| eval headers=printf("%-30s% 7s% 7s","apiName","success","NULL")
| eval line=mvappend(headers,line)
| fields - headers

View solution in original post

0 Karma

VikhyathMaiya
Explorer

@ITWhisperer Hello. Thanks for your answer. This seems like working. Just an extended question. Is there any way we can ensure the formatting of this table ? Since apiNames could be of varying length. Is there any way to achieve this ?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="apiName    success    NULL
Api 1            123            222
Api 1            123            222
Api 1            123            222
APi 2            123            222"
| multikv forceheader=1
| table apiName success NULL
| eval line=printf("%-30s% 7d% 7d",apiName, success, NULL)
| stats list(line) as line
| eval headers=printf("%-30s% 7s% 7s","apiName","success","NULL")
| eval line=mvappend(headers,line)
| fields - headers
0 Karma

VikhyathMaiya
Explorer

Just a follow up question. Incase i have an additional field called apiTime in each field and i want to calculate tp99 of grouped by apiName, how can we achieve that with this ? I tried couple of things with with appendCols.. Nothing made it work. Could you please help me with this as well ?

 

0 Karma

VikhyathMaiya
Explorer

This is awesome. Works like a charm. Thank you 🙂

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Would something like this work?

| makeresults
| eval _raw="apiName    success    NULL
Api 1            123            222
Api 1            123            222
Api 1            123            222
APi 2            123            222"
| multikv forceheader=1
| table apiName success NULL
| eval line=mvappend(apiName, success, NULL)
| eval line=mvjoin(line,"    ")
| transpose 0
| eventstats list(eval(if(column!="line",column,null()))) as headers
| eval headers=mvjoin(headers,"    ")
| transpose 0 header_field=column
| sort 0 column
| stats list(line) as line
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...