Splunk Search

How do I make a custom alert message with variables?

rbrisseyii
Explorer

Hello,

I have a search with several OR statements in it. Example, Microservice=this OR Microservice=that. When the search runs and emails me an alert, I currently have it set to "$result.Microservice$ with $job.resultCount$ alerts".

In the text of the email, it only returned the name of the first Microservice, but gave me a total count of both This and That's events.

I would like it to give me:
"This" had x alerts
"That" had y alerts

Any suggestions to how I can have the email alert give me totals for each Microservice? I actually have a few more Microservices in my real search, I only listed 2 above.

Thanks.

Tags (1)
0 Karma
1 Solution

rbrisseyii
Explorer

my search | eventstats count as _toemail by Microservice SiteType | eval _toemail = Microservice . " " . SiteType . " had " . _toemail . " alerts.\n" | eventstats values(_toemail) as _toemail | eval _toemail = mvjoin(_toemail, " ")

which provides the following out put in email:
microservice1 Prod had 336 alerts.
microservice2 Prod had 23 alerts.
microservice3 Prod had 5 alerts.

View solution in original post

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi @rbrisseyii what I tend to do in this situation is

my search
| stats count by Microservice SiteType
| eval Microservice_SiteType_count = MicroService + " " + SiteType + " = " + count + "alerts"
| stats values(Microservice_Sitetype_count) as Microservice_counts

And then I use $result.Microservice_counts$ in your alert

You can format the eval however you like.

The idea is you are creating field Microservice_SiteType_count for each Microservice SiteType pair
And then finally you are looking at the values of all those pairs and you can grab it in your alert by using $result.Microservice_counts$

0 Karma

rbrisseyii
Explorer

my search | eventstats count as _toemail by Microservice SiteType | eval _toemail = Microservice . " " . SiteType . " had " . _toemail . " alerts.\n" | eventstats values(_toemail) as _toemail | eval _toemail = mvjoin(_toemail, " ")

which provides the following out put in email:
microservice1 Prod had 336 alerts.
microservice2 Prod had 23 alerts.
microservice3 Prod had 5 alerts.

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

I'm glad you figured out an answer to your question @rbrisseyii. Would you mind accepting it so that others will know it's the correct solution?

Thanks!

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi @rbrisseyii can you share your exact search?

0 Karma

rbrisseyii
Explorer

I will just provide the solution I was given through the Splunk Community Slack channel:

| eventstats count as _toemail by Microservice SiteType | eval _toemail = Microservice . " " . SiteType . " had " . _toemail . " alerts.\n" | eventstats values(_toemail) as _toemail | eval _toemail = mvjoin(_toemail, " ")

which provides the following out put in email:
microservice1 Prod had 336 alerts.
microservice2 Prod had 23 alerts.
microservice3 Prod had 5 alerts.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...