Conditional email subject line

ygaluzo · ‎04-04-2019

Hello,
I have search
index=* ERROR | eval svc=mvindex(split(index,"-"),4) | stats count(svc) as cnt_svc by svc,source | where cnt_svc > 10

and my result can be for multiple services or for single service:
svc source cnt_svc

accounts /data/errors.log 120
accounts /data/system.log 23
users /data/system.log 34
orders /data/errors.log 83

or

svc source cnt_svc

accounts /data/errors.log 120
accounts /data/system.log 23

My email subject line has to be "Splunk errors for 3 services" in the 1st case or "Splunk errors for accounts" in the 2nd case.
Is it possible to do it?

Thank you.

whrg · ‎04-04-2019

Add this line to your search:

| eventstats count as totalcount

Now you should have an additional column "totalcount", which is 4 in this example:

svc       source            cnt_svc  totalcount
accounts  /data/errors.log  120      4
accounts  /data/system.log  23       4
users     /data/system.log  34       4
orders    /data/errors.log  83       4

Now change the email subject line of your alert to:

Splunk errors for $result.totalcount$ services

Conditional email subject line

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

Conditional email subject line

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025