Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract a field/or a single value from a scheduled...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smhsplunk
Communicator
10-16-2016
04:49 PM
So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)
currently it is only
<table>
<search ref="alert_objects"></search>
</table>
is it possible to search in this like
<table>
<search ref="alert_objects"> | search * host="$host_token$"
table total_time</search>
</table>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-17-2016
07:58 AM
Try like this
Replace
<table>
<search ref="alert_objects"></search>
</table>
With Updated
<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
<table>
<search base="base_alert_objects"> <query> search * host="$host_token$" | table total_time</query></search>
</table>
...
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-17-2016
07:58 AM
Try like this
Replace
<table>
<search ref="alert_objects"></search>
</table>
With Updated
<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
<table>
<search base="base_alert_objects"> <query> search * host="$host_token$" | table total_time</query></search>
</table>
...
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smhsplunk
Communicator
10-17-2016
08:40 AM
awesome it works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smhsplunk
Communicator
10-17-2016
08:26 AM
This should work but it is giving me the entire table again, seems like its ignoring this entire part
search * host="$host_token$" | table total_time
I have
<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
<search base="base_alert_objects"> search * host="$host_token$" | table total_time</search>
</table>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-17-2016
08:29 AM
I missed the query tag in there. Try the updated one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
10-17-2016
01:25 AM
<search ref="alert_objects"></search>
is not the search query.
can you copy and paste the whole xml please..
or, the <query> part.
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smhsplunk
Communicator
10-17-2016
07:52 AM
The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)
index=main host="*"
| transaction startswith="StartSession" endswith="EndSession" by source
| appendpipe [ | stats count | where count = 0 | eval duration=0]
| eval session_per_source = duration
| stats sum(session_per_source) as total_time by host
| table host, total_time
| fillnull value=NULL
I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Data Persistence in the OpenTelemetry Collector
This blog post is part of an ongoing series on OpenTelemetry.
What happens if the OpenTelemetry collector ...
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
Now On Demand
Whether you're managing complex deployments or looking to future-proof your data ...
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
