Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract a field/or a single value from a scheduled alert table

smhsplunk
Communicator
‎10-16-2016 04:49 PM

So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)

currently it is only 

<table>
<search ref="alert_objects"></search>
</table>

is it possible to search in this like

<table>
<search ref="alert_objects"> | search * host="$host_token$" 
 table total_time</search>
</table>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2016 07:58 AM

Try like this

Replace 

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2016 07:58 AM

Try like this

Replace 

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-17-2016 08:40 AM

awesome it works!

0 Karma
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-17-2016 08:26 AM

This should work but it is giving me the entire table again, seems like its ignoring this entire part 

search * host="$host_token$" |  table total_time

I have

<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
  <search base="base_alert_objects">  search * host="$host_token$" |  table total_time</search>
  </table>
</panel>
</row>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-17-2016 08:29 AM

I missed the query tag in there. Try the updated one.

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2016 01:25 AM

<search ref="alert_objects"></search>
is not the search query.

can you copy and paste the whole xml please..
or, the <query> part.

0 Karma
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-17-2016 07:52 AM

The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)

index=main host="*"   
                  | transaction startswith="StartSession" endswith="EndSession" by source   
          | appendpipe [ | stats count | where count = 0 | eval duration=0]
                  | eval session_per_source = duration 
                  | stats sum(session_per_source) as total_time by host
                  | table host, total_time
                  | fillnull value=NULL

I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...