- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract a field/or a single value from a sched...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)
currently it is only
<table>
<search ref="alert_objects"></search>
</table>
is it possible to search in this like
<table>
<search ref="alert_objects"> | search * host="$host_token$"
table total_time</search>
</table>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
Replace
<table>
<search ref="alert_objects"></search>
</table>
With Updated
<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
<table>
<search base="base_alert_objects"> <query> search * host="$host_token$" | table total_time</query></search>
</table>
...
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
Replace
<table>
<search ref="alert_objects"></search>
</table>
With Updated
<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
<table>
<search base="base_alert_objects"> <query> search * host="$host_token$" | table total_time</query></search>
</table>
...
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
awesome it works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work but it is giving me the entire table again, seems like its ignoring this entire part
search * host="$host_token$" | table total_time
I have
<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
<search base="base_alert_objects"> search * host="$host_token$" | table total_time</search>
</table>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I missed the query tag in there. Try the updated one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<search ref="alert_objects"></search>
is not the search query.
can you copy and paste the whole xml please..
or, the <query> part.
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)
index=main host="*"
| transaction startswith="StartSession" endswith="EndSession" by source
| appendpipe [ | stats count | where count = 0 | eval duration=0]
| eval session_per_source = duration
| stats sum(session_per_source) as total_time by host
| table host, total_time
| fillnull value=NULL
I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
